DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.


Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al, hereinafter (“Wang”), Chinese Patent Application (CN102984140), Published 03/20/2013, Machine translated from WIPO, in view of Vejman et al, hereinafter (“Vejman”), US PG Publication (20180198805 A1), in view of Shenoi et al, hereinafter (“Shenoi”), US PG Publication (20130339545 A1).
Regarding claims 1, 9, and 17, Wang teaches a method comprising:
identifying a connection tree for a computing environment based on forwarding rules for virtual nodes in the computing environment, wherein the connection tree comprises a plurality of connections between the virtual nodes; [Wang, pp. 3-4 Summary of Invention, 1) Deploy geographically dispersed nodes in the network based on behavior fragment sharing. 4) Source node calculates a set of neighbor nodes with similar behavior characteristics according to behavior features of the malware compose of the behavior segments of the malware. 5) ... generate a behavioral feature maximum similarity tree on the adjacency graph according to the associated edge data structure of behavioral features as a fusion tree.] 
calculating one or more minimum or maximum spanning trees for the virtual nodes based on the threat values and the connection tree; [Wang, p4 Summary of Invention, 5) On the basis of the feature adjacency graph, a distributed minimum spanning tree algorithm that preferentially selects edges with large weights is used to generate a behavioral feature maximum similarity tree on the adjacency graph according to the associated edge data structure of behavioral features as a fusion tree.]
While Wang teaches the connection tree [See Wang, p4 Summary of Invention, 5) On the basis of the feature adjacency graph, a distributed minimum spanning tree algorithm that preferentially selects edges with large weights is used to generate a behavioral feature maximum similarity tree on the adjacency graph according to the associated edge data structure of behavioral features as a fusion tree.]; however, Wang fails to explicitly teach but Vejman teaches for each connection in the connection tree, determining a threat value based at least on a protocol associated with the connection; [Vejman et al ¶0015: ...generating a graph representing the domain registration data such that each edge of the graph connects a vertex representing a domain and a vertex representing a key, identifying a connected component of the graph that meets a graph robustness threshold, identifying maliciousness labels, determining maliciousness values for unobserved domains considered target vertex. ¶0037: graph generator 212 creates edges 20]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a malware feature fusion analysis method and system based on behavior segment sharing of Wang before him or her by including the teachings of graph prioritization for improving precision of threat propagation algorithms of Vejman. The 
While Wang teaches the one or more minimum or maximum spanning trees [Wang, p4 Summary of Invention: a distributed minimum spanning tree algorithm]; however, the combination of Wang and Vejman fail to explicitly teach but Shenoi teaches generating a threat propagation summary based on the one or more minimum or maximum spanning trees. [Shenoi, ¶¶0067-0068:  inventive method allows the network administrator to identify a threat, or target packet, and send a hyperspeed signal to any node in the network before a target packet arrives at a node under attack... Intelligence involves integrating time-sensitive information from all sources into concise, accurate and objective reports related to a threat situation. ¶0070: Hyperspeed signaling enables projecting holographic network topologies and transfiguring networks; which enables network topologies to be dynamically manipulated to adapt to environment/context of threat. ¶¶0077-0078: Hyperspeed communication ca be based on route variation implemented in (maximum/minimum) spanning tree.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would 

Regarding claims 2, 10, and 18, the combination of Wang, Vejman, and Shenoi teach claim 1 as described above.
While Vejman teaches determining the threat value [See Vejman et al ¶0015: ... identifying maliciousness labels, determining maliciousness values]; however, the combination of Wang and Vejman fail to explicitly teach but Shenoi teaches wherein determining the threat value based at least on the protocol associated with the connection comprises determining the threat value based at least on packet size associated with the protocol and security measures implemented by the protocol. [Shenoi ¶0260: computed based on the propagation delay, bandwidth and packet size]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would have been obvious to try to associate the packet size with the calculated maliciousness values/indicators [Shenoi, ¶0260].  

Regarding claims 3 and 11, the combination of Wang, Vejman, and Shenoi teach claim 1 as described above.
 [See Shenoi, ¶¶0067-0068:  inventive method allows the network administrator to identify a threat, or target packet, and send a hyperspeed signal to any node in the network before a target packet arrives at a node under attack.] and 
wherein generating the threat propagation summary occurs in response to the request. [Shenoi, ¶0087: actions are usually automated processes with defined responses.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would have been obvious to try to receive and respond to a request for threat reports of the various situations [Shenoi, ¶¶0067-0070].  

Regarding claims 4 and 12, the combination of Wang, Vejman, and Shenoi teach claim 1 as described above.
However, the combination of Wang and Vejman fail to explicitly teach but Shenoi teaches identifying a virtual node of the virtual nodes associated with a threat; [Shenoi, ¶0088: when malicious packet 25 is identified, a hyperspeed sentinel message 35 is sent to egress filter 36 to intercept malicious packet 25] and 
wherein the threat propagation summary indicates one or more virtual nodes of the virtual nodes with connections to the virtual node. [See Shenoi, ¶0070: Hyperspeed signaling enables projecting holographic network topologies and transfiguring networks; which enables network topologies to be dynamically manipulated to adapt to environment/context of threat.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would have been obvious to try to the functions of the Intelligence, Surveillance, and Reconnaissance (ISR) to acquire information about threats and threat situations o [Shenoi, ¶0068].  

Regarding claims 5, 13, and 19, the combination of Wang, Vejman, and Shenoi teach claim 4 as described above.
Wang teaches wherein the threat comprises malware executing on the virtual node. [Wang, ¶5: A continuous behavior sub-sequence sub-module or a behavior-dependent sub-graph segmentation sub-module, the continuous behavior sub-sequence sub-module is used to regard the behavior of the malwaresample as a sequentially executed behavior sequence]   

Regarding claims 6 and 14, the combination of Wang, Vejman, and Shenoi teach claim 1 as described above.
However, the combination of Wang and Vejman fail to explicitly teach but Shenoi teaches identifying a virtual node of the virtual nodes associated with a threat; [See Shenoi, ¶0088: when malicious packet 25 is identified, a hyperspeed sentinel message 35 is sent to egress filter 36 to intercept malicious packet 25] and 
identifying one or more nodes of the virtual nodes that satisfy propagation criteria based on the one or more minimum or maximum spanning trees; [Shenoi, ¶0271: A path is not useless unless its cost is greater than a path that already meets the criteria] and 
wherein the threat propagation summary indicates the one or more virtual nodes of the virtual nodes with connections to the virtual node. [See Shenoi, ¶0070: Hyperspeed signaling enables projecting holographic network topologies and transfiguring networks; which enables network topologies to be dynamically manipulated to adapt to environment/context of threat. ¶¶0077-0078: Hyperspeed communication ca be based on route variation implemented in (maximum/minimum) spanning tree.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would have been obvious to try to Intelligence, Surveillance, and Reconnaissance (ISR) to acquire information about threats and threat situations [Shenoi, ¶0068]. 

Regarding claims 7 and 15, the combination of Wang, Vejman, and Shenoi teach claim 1 as described above.
[Shenoi, ¶¶0149-0150: results of upstream and downstream routes, calculations, are stored the memory of each node, in X.sub.s]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would have been obvious to try to Intelligence, Surveillance, and Reconnaissance (ISR) to acquire information about threats and threat situations [Shenoi, ¶0068]. 

Regarding claims 8, 16, and 20, the combination of teach claim 1 as described above.
However, the combination of Wang and Vejman fail to explicitly teach but Shenoi teaches identifying a virtual node of the virtual nodes associated with a threat; [See Shenoi, ¶0088: when malicious packet 25 is identified, a hyperspeed sentinel message 35 is sent to egress filter 36 to intercept malicious packet 25] and 
wherein generating the threat propagation summary comprises generating an interface that indicates a propagation threat hierarchy to one or more other virtual nodes of the virtual nodes in the computing environment. [Shenoi, ¶¶0072-0073: Network 10 having nodes 12 has route 18 the sequence of links 16 that an electronic signal travels between nodes. Multiprotocol label switching (MPLS)  is an ideal technology for implementing hyperspeed signaling because it has built-in identification and service differentiation technologies. Labels in MPLS act like circuit identifiers in asynchronous transfer mode (ATM) to designate paths 20 taken by packets in the core of network 10. Examiner interprets that hierarchical routing is part MPLS technology. See https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Wang and Vejman before him or her by including the teachings of a network-based hyperspeed communication and defense of Shenoi. The motivation/suggestion would have been obvious to try to Intelligence, Surveillance, and Reconnaissance (ISR) to acquire information about threats and threat situations for the purpose of hierarchical identification and management of virtual nodes [Shenoi, ¶0068]. 

	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Cain (2005/0050350 A1) discloses security indication spanning tree system and method.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SAKINAH WHITE-TAYLOR
Examiner
Art Unit 2497



/Sakinah White Taylor/           Examiner, Art Unit 2497