DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/23/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a classification controller to: in response to…”, “a remediation controller to, in response to …” in claim 1, “a decryption controller to: execute a first decipher algorithm…” in claim 2, “a language analyzer to determine…”, “a code analyzer to determine…”, “an executable analyzer to determine…” in claim 3, “a report generator to generate a report…” in claim 6.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. See paragraphs [0040], [0043], [0046], [0049], [0052], [0059] and [0061] of the published specification of the instant application for corresponding structure.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 5-8, 12-15, 19 and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by CA 2983429 to Von Gravrock et al (hereinafter Gravrock).
As per claims 1, 8 and 15, Gravrock teaches:
An apparatus comprising: 
a classification controller to: in response to a first classification score of a first network traffic sample satisfying a first threshold, determine whether a second classification score of a second network traffic sample satisfies a second threshold (Gravrock: [0051]: in some embodiments, the anomaly detection module 310 is configured to extract features out of the appliance traffic data and the appliance identification data to determine confidence levels for anomalies related to processes on the smart appliance 100. In some example embodiments, the anomaly detection module 310 uses numerical scores to represent confidence levels. In one example, the anomaly detection module 310 computes confidence levels in batches. The batches can comprise confidence levels for appliance traffic data and appliance identification data received during a particular time period, i.e., a first confidence level is computed for appliance traffic received during a first time period and a second confidence level is computed for appliance traffic received during a second time period. In some embodiments, the anomaly control module uses thresholds to determine if an anomaly exists and represents malicious behavior. [0068]: If the behavior analysis engine 110 determines that the confidence level for an anomaly is at Confidence Level A 422, then the behavior analysis engine 110 instructs 425 the network traffic hub 105 to block traffic relating to the anomaly. Confidence Level A 422 could be a threshold for a numerical score representing the confidence level); and 
in response to the second classification score of the second network traffic sample satisfying the second threshold, classify network traffic associated with the first network traffic sample and the second network traffic sample as potentially malicious network traffic (Gravrock: [0068]: If the behavior analysis engine 110 determines that the confidence level for an anomaly is at Confidence Level A 422, then the behavior analysis engine 110 instructs 425 the network traffic hub 105 to block traffic relating to the anomaly. Confidence Level A 422 represents a high level of confidence that the anomaly is caused by malicious behavior); and 
a remediation controller to, in response to the network traffic being classified as the potentially malicious network traffic, execute a remediation action to remediate malicious activity associated with the potentially malicious network traffic (Gravrock: [0057]: If the anomaly control module determines that an anomaly in the local network represents malicious behavior, the anomaly control module 315 sends traffic control instructions to the network traffic hub 105. The particular traffic control instructions might depend on the type of anomaly. [0058]: If the confidence level for a particular anomaly is high enough, anomaly control module 315 can instruct the network traffic hub 105 to block traffic). 

As per claims 5, 12 and 19, Gravrock teaches:
The apparatus of claim 1, wherein the first threshold and the second threshold correspond to similarities to malware (Gravrock: [0051]: In one example, the anomaly detection module 310 computes confidence levels in batches. The batches can comprise confidence levels for appliance traffic data and appliance identification data received during a particular time period. In some embodiments, the anomaly control module uses thresholds to determine if an anomaly exists and represents malicious behavior. [0068]: Confidence Level A 422 represents a high level of confidence that the anomaly is caused by malicious behavior. [0082]-[0083]: Referring now to FIG. 5C, after receiving the confidence scores (560, 565), the anomaly control module 530 makes a determination 570 about whether it thinks that malware is present on appliance 1 500 and appliance 2505. The anomaly control module 530 makes the determination 570 based on the confidence scores (560, 565). Based on the confidence scores (560, 565), the anomaly control module 530 determines that appliance 1 500 does not have malware and that appliance 2 505 does have malware.).

As per claims 6 and 13, Gravrock teaches:
The apparatus of claim 1, further including a report generator to generate a report including at least one of the first classification score, the second classification score, an indication of whether the first network traffic sample and the second network traffic sample are potentially malicious, a decipher algorithm that allowed decryption of the first network traffic sample and the second network traffic sample (Gravrock: [0058]: If the confidence level for a particular anomaly is high enough, anomaly control module 315 can instruct the network traffic hub 105 to block traffic. In some example embodiments, the anomaly control module 3 15 notifies the user that it has instructed the network traffic hub 105 to block traffic. In some embodiments, the anomaly control module 315 includes information about the blocked traffic to the user in the notification, such as the source internet address, the destination address, the identity of the smart appliance, the source destination pair, or information about the anomaly. [0060]: If the anomaly control module 315 determines that the code is malicious, then it instructs the network traffic hub 105 to block the download. The anomaly control module 315 notifies the user that the download has been blocked, including information about what code was being downloaded and why it was blocked).

As per claims 7, 14 and 20, Gravrock teaches:
The apparatus of claim 1, wherein the remediation controller is to at least one of: block network traffic between a source address and a destination address; alert security software at a computing device of the potentially malicious network traffic; quarantine files corresponding to a process that initiated the potentially malicious network traffic; or stop the process in memory that initiated the potentially malicious network traffic sample (Gravrock: [0058]: If the confidence level for a particular anomaly is high enough, anomaly control module 315 can instruct the network traffic hub 105 to block traffic. [0060]: If the anomaly control module 315 determines that the code is malicious, then it instructs the network traffic hub 105 to block the download).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gravrock and CN 110569653 to Zhou et al (hereinafter Zhou).
Examiner’s Note: The examiner used a translated version of the description of CN 110569653. The translated version of the description is attached to the end of original document.
As per claims 2, 9 and 16, Gravrock does not teach the limitations of claim 2. However, Zhou teaches:
further including a decryption controller to: execute a first decipher algorithm selected from a database, the database including additional decipher algorithms to decipher the first network traffic sample; in response to the first network traffic sample not being deciphered by the first decipher algorithm, select a second decipher algorithm from the database to decipher the first network traffic sample; and in response to the second decipher algorithm deciphering the first network traffic sample, obtain a plain text representation of the first network traffic sample (Zhou: [0008]: the encryption/decryption unit obtains the data to be processed and the data to be processed The first processing algorithm of the data, where the first processing algorithm is used to instruct the algorithm engine corresponding to the first processing algorithm to be invoked to perform the encryption or decryption processing indicated by the first processing algorithm on the data to be processed. If the first processing algorithm fails to process the data to be processed, the encryption/decryption unit acquires the second processing algorithm matched by the intelligent scheduling unit for the data to be processed, and then the encryption/decryption unit invokes the algorithm engine corresponding to the second processing algorithm to perform the second processing on the data to be processed. The encryption or decryption process indicated by the processing algorithm. [0063] S210, the algorithm engine 108 returns the plaintext data to be read to the application program 102).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Zhou in the invention of Gravrock to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
	
Claims 3, 4, 10, 11, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gravrock, US 11012414 to Moore et al (hereinafter Moore) and CN 105357179 to Liu Yu (hereinafter Yu).
Examiner’s Note: The examiner used a translated version of the description of CN 105357179. The translated version of the description is attached to the end of original document.
As per claims 3, 10 and 17, Gravrock teaches:
The apparatus of claim 1, further including: 
an executable analyzer to determine a third score associated with a third similarity of the plain text representation of: (a) the first network traffic sample or (b) the second network traffic sample to an executable file (Gravrock: [0060]: in some embodiments, the anomaly control module 315 receives a notification from the network traffic hub 105 that software (executable file) was being downloaded by a smart appliance 100. The notification includes the code (executable file) that is being downloaded, and the anomaly control module 315 analyzes the code to determine whether it is malicious. In some embodiments, the anomaly control module 315 sends the code to the anomaly detection module 310 for analysis. If the anomaly control module 315 determines that the code is malicious, then it instructs the network traffic hub 105 to block the download. In some embodiments, the anomaly detection module 310 uses information about code that was blocked when determining confidence levels).
Gravrock does not teach: a language analyzer to determine a first score associated with a first similarity of a plain text representation of: (a) the first network traffic sample or (b) the second network traffic sample to a conversational language; a code analyzer to determine a second score associated with a second similarity of the plain text representation of: (a) the first network traffic sample or (b) the second network traffic sample to a programming language. However, Moore teaches:
a language analyzer to determine a first score associated with a first similarity of a plain text representation of: (a) the first network traffic sample or (b) the second network traffic sample to a conversational language (Moore: column 23, lines 60-67: A cybersecurity application may then analyze the logged DNS request, for example, to determine if the DNS request may be associated with a DNS tunneling attack or exfiltration attack. The logic may determine a probability that a request is associated with a legitimate request. Claim 1: receiving, by the gatekeeper, a plurality of packets; based on a determination that a first packet of the plurality of packets comprises a first domain name, testing, without querying the DNS, the probabilistic data structure to determine if the first domain name is registered in the DNS; and based on a determination that the first domain name is not registered in the DNS: determining, based on at least one criteria, a legitimacy of the first packet. Claim 9: wherein the at least one criteria comprises one or more of: whether one or more portions of the first packet correlate with human language words (conversational language)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moore in the invention of Gravrock to include the above limitations. The motivation to do so would be to provide efficient packet filtering for cyber threat intelligence (CTI) applications (Moore: column 4, lines 6-7).
Gravrock in view of Moore does not teach: a code analyzer to determine a second score associated with a second similarity of the plain text representation of: (a) the first network traffic sample or (b) the second network traffic sample to a programming language. However, Yu teaches:
a code analyzer to determine a second score associated with a second similarity of the plain text representation of: (a) the first network traffic sample or (b) the second network traffic sample to a programming language (Yu: [0058]: Step S101, obtain attack characteristic information and the first data packet that matches with described attack characteristic information; [0065]: Step S102, obtains the grammar information of preset programming language and the context grammar information of described programming language; [0068] Step S103, according to the grammar information and the context grammar information, judge whether the first data packet is an attack data packet, and obtain the judgment result (score)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Yu in the invention of Gravrock in view of Moore to include the above limitations. The motivation to do so would be to provide a network attack processing method and device, aiming at solving the technical problem of easy misjudgment when detecting network attacks (Yu: [0007]).

As per claims 4, 11 and 18, Gravrock in view of Moore and Yu teaches:
The apparatus of claim 3, wherein the classification controller is to: determine the first classification score associated with a similarity of the plain text representation of the first network traffic sample to malware based on the first score, the second score, and the third score; and determine the second classification score associated with a similarity of the plain text representation of the second network traffic sample to malware based on the first score, the second score, and the third score (Gravrock: [0060]: in some embodiments, the anomaly control module 315 receives a notification from the network traffic hub 105 that software (executable file) was being downloaded by a smart appliance 100. The notification includes the code (executable file) that is being downloaded, and the anomaly control module 315 analyzes the code to determine whether it is malicious. In some embodiments, the anomaly detection module 310 uses information about code that was blocked when determining confidence levels. Moore: column 23, lines 60-67: A cybersecurity application may then analyze the logged DNS request, for example, to determine if the DNS request may be associated with a DNS tunneling attack or exfiltration attack. The logic may determine a probability that a request is associated with a legitimate request. Claim 1: receiving, by the gatekeeper, a plurality of packets; based on a determination that a first packet of the plurality of packets comprises a first domain name, testing, without querying the DNS, the probabilistic data structure to determine if the first domain name is registered in the DNS; and based on a determination that the first domain name is not registered in the DNS: determining, based on at least one criteria, a legitimacy of the first packet. Claim 9: wherein the at least one criteria comprises one or more of: whether one or more portions of the first packet correlate with human language words (conversational language). Yu: [0058]: Step S101, obtain attack characteristic information and the first data packet that matches with described attack characteristic information; [0065]: Step S102, obtains the grammar information of preset programming language and the context grammar information of described programming language; [0068] Step S103, according to the grammar information and the context grammar information, judge whether the first data packet is an attack data packet, and obtain the judgment result (score)).
The examiner provides the same rationale to combine references Gravrock, Moore and Yu as in claims 3, 10 and 17 above. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438