Notice of Pre-AIA  or AIA  Status
 
Information Disclosure Statement
The IDS filed 2/16/2022 has been considered and entered.  The IDS did not impact patentability of the claims submitted in the examiners amendment dated 12/24/2021.  The amendment is included herein for convenience.

 
EXAMINER'S AMENDMENT

An examiner' s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner' s amendment was given in an interview with Robyn Wagner on 12-14-2021

The application has been amended as follows: 



data appliance for evaluating and selectively blocking network traffic 
a processor configured to: 
implement a firewall that uses an external network to communicate with a security platform that stores a first set of signatures, wherein the data appliance stores a second set of signatures that is a subset of the first set of the first set of signatures;

receive and store a plurality of 

receive at least a portion of a file en route to a client device and in response to receiving the at least the portion of the file, determine that a signature of the at least the portion is not present among the second set of signatures at least the portion of the file, would indicate whether or not the file is malicious;

in response to determining that the signature is not present among the second set of signatures:
query the security platform for a verdict including whether or not the file is malicious; and

subsequent to the query and prior to receiving the verdict from the security platform:
determine a filetype associated with a sequence of received packets associated with the at least the portion of the received file and use the determined filetype to select either a linear classification model or a non-linear classification model, from the [[set]] plurality of sample classification models, to use in performing analysis of the at least the portion of the received file, wherein the analysis includes n-gram analysis;

perform the n-gram analysis on the sequence of received packets; and

determine [[that]] whether the received file is malicious based at least in part on the n-gram analysis of the sequence of received packets, and: 

in response to determining that the received file is malicious, prevent propagation of the received file; and

in response to determining that the received file is not malicious, permit propagation of the received file to the client device; and

wherein if an additional file having an additional sequence of packets matching the sequence of received packets is received, prevent propagation of the additional file; and

in response to receiving the verdict from the security platform, use the verdict to determine whether or not to prevent propagation instead of using the plurality of classification models; and

a memory coupled to the processor and configured to provide the processor with instructions.
for evaluating and selectively blocking network traffic, implemented by a processor configured to perform the method, the method comprising:
implementing a firewall that uses an external network to communicate with a security platform that stores a first set of signatures, wherein the data appliance stores a second set of signatures that is a subset of the first set of the first set of signatures;

receiving and storing a plurality of 

receiving at least a portion of a file en route to a client device and in response to receiving the at least the portion of the file, determining that a signature of the at least the portion is not present among the second set of signatures, wherein the signature, if matched by the at least the portion of the file, would indicate whether or not the file is malicious;

in response to determining that the signature is not present among the second set of signatures:
querying the security platform for a verdict including whether or not the file is malicious; and

subsequent to the querying and prior to receiving the verdict from the security platform:
determining a filetype associated with a sequence of received packets associated with the at least the portion of the received file and using the determined filetype to select either a linear classification model or a non-linear classification model, from the [[set]] plurality of sample classification models, to use in performing analysis of the at least the portion of the received file, wherein the analysis includes n-gram analysis;

performing the n-gram analysis on the sequence of received packets; and

determining [[that]] whether the received file is malicious based at least in : 

in response to determining that the received file is malicious, preventing propagation of the received file; and

in response to determining that the received file is not malicious, permitting propagation of the received file to the client device; and

wherein if an additional file having an additional sequence of packets matching the sequence of received packets is received, preventing propagation of the additional file; and

in response to receiving the verdict from the security platform, using the verdict to determine whether or not to prevent propagation instead of using the set of classification models.


20.   (Currently Amended)	A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions configured for:
implementing a firewall that uses an external network to communicate with a security platform that stores a first set of signatures, wherein the data appliance stores a second set of signatures that is a subset of the first set of the first set of signatures;

receiving and storing a plurality of 

receiving at least a portion of a file en route to a client device and in response to receiving the at least the portion of the file, determining that a signature of the at least the portion is not present among the second set of signatures, wherein the signature, if matched by the at least the portion of the file, would indicate whether or not the file is malicious;

in response to determining that the signature is not present among the second set of signatures:
querying the security platform for a verdict including whether or not the file is malicious; and

subsequent to the querying and prior to receiving the verdict from the security platform:
determining a filetype associated with a sequence of received packets associated with the at least the portion of the received file and using the determined filetype to select either a linear classification model or a non-linear classification model, from the [[set]] plurality of sample classification models, to use in performing analysis of the at least the portion of the received file, wherein the analysis includes n-gram analysis;

performing the n-gram analysis on the sequence of received packets; and


determining [[that]] whether the received file is malicious based at least in part on the n-gram analysis of the sequence of received packets, and: 

in response to determining that the received file is malicious, preventing propagation of the received file; and

in response to determining that the received file is not malicious, permitting propagation of the received file to the client device; and

wherein if an additional file having an additional sequence of packets matching the sequence of received packets is received, preventing propagation of the additional file; and

in response to receiving the verdict from the security platform, using the verdict to determine whether or not to prevent propagation instead of using the set of classification models.

 
 



Allowable Subject Matter
Claims 1-3, 6-7, and 9-20 are allowed.

The following is an examiner' s statement of reasons for allowance: 
Li et al (US 2018/0300482) discloses in [0024], n-gram analysis and using both linear and non-linear classification models see  [0043]

Schmidtler et al ( US 2018/0013772) discloses building n-grams in  [0021], performing inline analysis in [0025], and running a classifier analysis on a packet in [0026] and [0012]

 Vu et al ( US 2015/0244730)  discloses in [0067], selecting a model based on a determined file type



The prior art of record does not explicitly disclose in light of the other features recited in the independent claims, 
before the verdict is received
in response to determining that the received file is malicious, preventing propagation of the received file; 
in response to determining that the received file is not malicious, permitting propagation of the received file to the client device 
if an additional file having an additional sequence of packets matching the sequence of received packets is received, preventing propagation of the additional file;
in response to receiving the verdict from the security platform, using the verdict to determine whether or not to prevent propagation instead of using the set of classification models
 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner' s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD A MCCOY/Examiner, Art Unit 2431