Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02-01-2022 has been entered.

Response to Arguments
Applicant’s arguments, see Remarks, filed 02-01-2022, with respect to double patenting rejection have been fully considered and are persuasive in light of e-terminal disclaimer filed on 02-01-2022.  The rejection is withdrawn. 
Applicant's arguments filed Remarks filed on 02-01-2022 with regards to 101 (abstract idea) rejection pgs. 2-5 have been fully considered but they are not persuasive. The client argues that “The Office Action both misstates the guidance with respect to Step 2A, Prong One, and fails to recognize limitations that the courts have identified as not mental processes because they cannot be performed in the human mind… In short, unlike conventional attack detection techniques, the claimed signature is generated based on output of a network attack, such as might be posted publicly on pastebin or the like. Id. at ¶ [0035]. The signature can be generated without the need to monitor the attack in real-time, or even access logs saved during the attack. A person of ordinary skill in the art would have, with the benefit of the disclosure of the application, clearly recognized the improvement, and the improvement is reflected in the claim. Claim 1 is therefore patent eligible under at least Step 2A, Prong Two of the subject matter eligibility analysis, as it is directed to an improvement in technology”. The examiner respectfully disagrees with the arguments. The examiner considered the limitations of the claims and the claims as a whole. The claims in app. 16473933 state, the traffic is stored and identifying from the copy of the stored data, a network attack, thereby generating a signature – which contains one or more rules to identify subsequent attacks. A person of ordinary skilled in the art, using a network tool like Wireshark or Logic Monitor, can capture monitored traffic (i.e., output of network traffic) or shall be logs or records of traffic (i.e., data dump), analyze the same and if any abnormality is found, can make the same abnormality as a signature or rule and configure the same in the firewalls or can use the same signature/rule to identify further attacks in future traffic – done manually or automated. If the client utilizes signature defined based on byte sequences in malicious traffic – that is not recited in the claims and cannot be imported from specification MPEP 2111.01 II. The signature shall be replaced by threshold or vice-versa and the concept will not change. Furthermore, while analyzing the stored traffic for attacks, the attacks already that are ongoing and/or emanated from malicious sources is/are not prevented in any way. The concept of signature generation is considered a pre-solution activity. and amounts to mere data gathering, which is a form of insignificant extra-solution activity. The network appliance that performs the comparison step is also recited at a high level of generality. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component (the network appliance). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer Symantec, TLI, and OIP Techs. court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection or receipt of data over a network is a well-understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here) and identifying in a stored (static) portion of traffic is well-understood, routine, conventional activity is supported under Berkheimer. Therefore the rejection is maintained.
Applicant's arguments filed Remarks filed on 02-01-2022 with regards to 103 rejection pgs. 5-7 have been fully considered but they are not persuasive. The client argues that “The claimed data dump is not analogous to the "network data" received by a "digital data tap," as disclosed by Aziz . As provided in the Specification of the instant application, "[t]he data dump 204 can be a database storing data, a website hosting data, [or] a network file system having data." Published Application, ¶ [0028]. The data dump "includes at least a portion of the sensitive information 212 arising as a result of a data breach." Id. The data dump also, as claimed, includes "information about [a] network attack, comprising at least one characteristic indicative of a method used to obtain the data dump…”. The examiner respectfully disagrees with the arguments. The spec. summary recites: storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system; the computing device generating a copy of data distributed across a network, Pg. 6: Figure 2 data is stored in communication with the network 200 as a data dump. Prior art Aziz teaches in C5L28-30, Fig. 2: The tap copies any portion of the network data (i.e., data dump which is the network traffic Fig. 7. For example, the tap copies any number of data packets from the network data and provides the data to the controller in Fig. 1, stores the network data which is analogous to the data dump recited in the claim. The data dump can be logs, records, repositories of any given data. Also, data dump nor generating a copy of data dump shall not be an inventive concept as it well-known, non-obvious and not novel (see referred in Aziz: Boubalos, Chris , "extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives", available at http://seclists.org/honeypots/2003/q2/319 ("Boubalos"), (Jun. 5, 2003)) – therefore the prior art Aziz in combination with Xu does teach the claimed concept. However, without acceding to the arguments per se, for clarity purposes and in light of new amendments to the claims, a new prior art is used to teach the amended claims. Also, the characteristic method is merely indicative such as a database query comprising certain columns – that too determined based on query results. This is not same as a flag or some source identifier or identity of the method used to obtain the data – even so that is not novel and is well-known and obvious (Couch US 6618718 (Pub. 2003) discusses query identification module). MPEP 2141.002 VI. PRIOR ART MUST BE CONSIDERED IN ITS ENTIRETY, INCLUDING DISCLOSURES THAT TEACH AWAY FROM THE CLAIMS. Therefore it is understood that signature applied to detect attacks. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore the rejection is maintained.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 13 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites storing a portion of network traffic, identifying an attack from the stored copy of the traffic that includes method used to obtain data and generating a signature. Identifying attack in the stored network data based on generated signature.
Step 1: The claims 1, 12 and 13 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 12 and 13 recites: storing a portion of network traffic, identifying an attack from the stored copy of the traffic and generating a signature. Identifying attack in the stored network data based on generated signature, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in 
Dependent claims 2 – 11 which in turn encompasses analyzing code/script, data, analyzing compromised endpoints and data which includes token, key, credential etc., taking remedial measures accordingly is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in an human mind in an organized way but for the recitation of generic computer components, then it falls within the “certain methods of organizing human activities/mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: storing a portion of network traffic, identifying an attack from the stored copy of the traffic and generating a signature. Identifying attack in the stored network data based on generated signature. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. Fig. 1) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not 
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, storing a portion of network traffic, identifying an attack from the stored copy of the traffic and generating a signature. Identifying attack in the stored network data based on generated signature amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 11 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Aziz et al (US 9071638) hereafter Aziz and Xu et al (US 20170264626), hereafter Xu and further in view of Sood et al (US 20160094573), hereafter Sood.
Claim 1: Aziz teaches a computer implemented method to detect a data breach in a network-connected computing system, the method comprising: storing, at a [trusted secure computing] device, at least a portion of network traffic communicated with the computer system; (C8L21-23: the heuristic module contained within the controller (C16L13-16: generates, encrypts, and transmits i.e., trusted secure device) receives data packets and stores the data packets within a buffer or other memory);
generating, by the [trusted secure computing] device, a copy of a data dump BRI: Pg. 6: data dump 204 can be a database storing data, a website hosting data, a network file system having data or any other network connected mechanism through which the data of data dump 204 is generally accessible via the network 200. For example, the data dump 204 is stored in a public information or data exchange facility such as an internet website for exchanging data publicly) (C16L39-41: storage system comprises a database or other data structure configured to hold and organize data (network data, copies of network data, buffered data) and C5L22-24: tap is a digital data tap that provides a copy of the network data to the controller);
dump; (col. 2 lines 53-57: analyzing the network data comprises configuring a virtual machine to receive the network data and analyzing the response of the virtual machine to the network data to detect and/or identify a malware attack);
generating, by the [trusted secure computing] device, a signature for the network attack based on the identified information about the network attack, the signature including rules for identifying the network attack in network traffic; (col. 2 lines 58-59: comprises generating an unauthorized activity signature based on the detection of the malware attack, col. 10, 11 lines 58-63, 23-26: policy engine creates and/or applies a rule to flag all data related to the data flows as suspicious, flags network data related to suspicious network data until the analysis environment determines that the network data flagged as suspicious is related to unauthorized activity);
Aziz is silent on and identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature.
But the analogous art Xu teaches the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; ([086] a cookie is a status indicator for a user to mark their interaction history, [0103-109] all the HTTP sessions that potentially expose the malware identifying information (i.e., information about network attack) are identified in the sample data set… command and control (C2) communications represent a significant case for discovering identification information in HTTP session traffic, the reputation of domains as applied in this context provides a useful indication of whether the whole session belongs to a C2 session (i.e., characteristic indicative of a method used to obtain data, this characteristic similar to mechanism explained in pg. 10 specification such as a DB . In these sessions, if a common key-value pair(s) is identified that exists in all or most of transactions, then such key-value pair(s) is used to store the identity information of malware, [149-170] Figs. 8 and 9 explains watermarking cookies (i.e., characteristic indicative of a method used to obtain data), collecting data in pcap data dumps by crawling public websites and are detonated in virtual environments to identify (malicious) cookie behaviors);and identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature. ([0043, 47, 145, Fig. 6B] the new signature is tested against the stored test data set to verify that it does not result in too many false positives and the performance of clustering-based approach was compared with a content-based approach).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea of testing generated signature on stored data as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
The combination of Aziz and Xu is silent on use of a trusted secure computing device.
But the analogous art Sood teaches use of a trusted secure computing device. ([0019, 38-39] a platform-specific TEE that assumes the role of platform security policy inspector; the Trusted Execution Environment (TEE) reads packets of VNFC-VNFC and VNF-VNF networks… The TEE module performs a security assessment of one or more packets of the server based on the retrieved information to determine, whether the packets pose a security threat…).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Aziz and Xu to include the idea to use TEE to detect attacks as taught by Sood so that the platform-specific TEE uses ([019]).
Claim 12: Aziz teaches a computer system comprising: a processor and memory storing computer program code for detecting a data breach in a network-connected computing system by (Fig. 7): storing, at a [trusted secure computing] device, at least a portion of network traffic communicated with the computer system; generating, by the [trusted secure computing] device, a copy of a data dump distributed across a network; identifying, by the [trusted secure computing] device, information about a network attack stored in the copy of the data dump; generating, by the [trusted secure computing] device, a signature for the network attack based on the identified information about the network attack, the signature including rules for identifying the network attack in network traffic; (col. 8 lines 21-23: the heuristic module contained within the controller (C16L13-16: generates, encrypts, and transmits i.e., trusted secure device) receives data packets and stores the data packets within a buffer or other memory; col. 5 lines 22-24: tap is a digital data tap configured to receive network data and provide a copy of the network data to the controller, C16L39-41: storage system comprises a database or other data structure configured to hold and organize data (network data, copies of network data, buffered data); col. 2 lines 53-57: analyzing the network data comprises configuring a virtual machine to receive the network data and analyzing the response of the virtual machine to the network data to detect and/or identify a malware attack; col. 2 lines 58-59: comprises generating an unauthorized activity signature based on the detection of the malware attack, col. 10, 11 lines 58-63, 23-26: policy engine creates and/or applies a rule to flag all data related to the data flows as suspicious, flags network data related to suspicious network data until the analysis environment determines that the network data flagged as suspicious is related to unauthorized activity);
Aziz is silent on and identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature.
But the analogous art Xu teaches the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; and identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature. ([086] a cookie is a status indicator for a user to mark their interaction history, [0103-109] all the HTTP sessions that potentially expose the malware identifying information (i.e., information about network attack) are identified in the sample data set… command and control (C2) communications represent a significant case for discovering identification information in HTTP session traffic, the reputation of domains as applied in this context provides a useful indication of whether the whole session belongs to a C2 session (i.e., characteristic indicative of a method used to obtain data, this characteristic similar to mechanism explained in pg. 10 specification). In these sessions, if a common key-value pair(s) is identified that exists in all or most of transactions, then such key-value pair(s) is used to store the identity information of malware, [149-170] Figs. 8 and 9 explains watermarking cookies (i.e., characteristic indicative of a method used to obtain data), collecting data in pcap data dumps by crawling public websites and are detonated in virtual environments to identify (malicious) cookie behaviors; [0043, 47, 145, Fig. 6B] the new signature is tested against the stored test data set to verify that it does not result in too many false positives and the performance of clustering-based approach was compared with a content-based approach).
([0077]).
The combination of Aziz and Xu is silent on use of a trusted secure computing device.
But the analogous art Sood teaches use of a trusted secure computing device. ([0019, 38-39] a platform-specific TEE that assumes the role of platform security policy inspector; the Trusted Execution Environment (TEE) reads packets of VNFC-VNFC and VNF-VNF networks… The TEE module performs a security assessment of one or more packets of the server based on the retrieved information to determine, whether the packets pose a security threat…).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Aziz and Xu to include the idea to use TEE to detect attacks as taught by Sood so that the platform-specific TEE uses hypervisor access into the various virtual switch interfaces and into TAPs to access traffic data ([019]).
Claim 13: Aziz teaches a non-transitory computer-readable storage element storing computer program code to, when loaded into a computer system and executed thereon, cause the computer system to detect a data breach in a network-connected computing system by: element comprising storing computer program code to, when loaded into a computer system and executed thereon, cause the computer system to detect a data breach in a network-connected computing system by (Fig. 7): storing, at a [trusted secure computing] device, at least a portion of network traffic communicated with the computer system; generating, by the [trusted secure computing] device, a copy of a data dump distributed across a network; identifying, by the [trusted secure dump; generating, by the [trusted secure computing] device, a signature for the network attack based on the identified information about the network attack, the signature including rules for identifying the network attack in network traffic; (col. 8 lines 21-23: the heuristic module contained within the controller (C16L13-16: generates, encrypts, and transmits i.e., trusted secure device) receives data packets and stores the data packets within a buffer or other memory; col. 5 lines 22-24: tap is a digital data tap configured to receive network data and provide a copy of the network data to the controller, C16L39-41: storage system comprises a database or other data structure configured to hold and organize data (network data, copies of network data, buffered data); col. 2 lines 53-57: analyzing the network data comprises configuring a virtual machine to receive the network data and analyzing the response of the virtual machine to the network data to detect and/or identify a malware attack; col. 2 lines 58-59: comprises generating an unauthorized activity signature based on the detection of the malware attack, col. 10, 11 lines 58-63, 23-26: policy engine creates and/or applies a rule to flag all data related to the data flows as suspicious, flags network data related to suspicious network data until the analysis environment determines that the network data flagged as suspicious is related to unauthorized activity);
Aziz is silent on and identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature.
But the analogous art Xu teaches the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; and identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature. ([086] a cookie is a status indicator for a user to mark their interaction history, [0103-109] all the HTTP sessions that potentially expose the malware identifying information (i.e., information about network attack) are identified in the sample data set… command and control (C2) communications represent a significant case for discovering identification information in HTTP session traffic, the reputation of domains as applied in this context provides a useful indication of whether the whole session belongs to a C2 session (i.e., characteristic indicative of a method used to obtain data, this characteristic similar to mechanism explained in pg. 10 specification). In these sessions, if a common key-value pair(s) is identified that exists in all or most of transactions, then such key-value pair(s) is used to store the identity information of malware, [149-170] Figs. 8 and 9 explains watermarking cookies (i.e., characteristic indicative of a method used to obtain data), collecting data in pcap data dumps by crawling public websites and are detonated in virtual environments to identify (malicious) cookie behaviors; [0043, 47, 145, Fig. 6B] the new signature is tested against the stored test data set to verify that it does not result in too many false positives and the performance of clustering-based approach was compared with a content-based approach).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea of testing generated signature on stored data as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
The combination of Aziz and Xu is silent on use of a trusted secure computing device.
But the analogous art Sood teaches use of a trusted secure computing device. ([0019, 38-39] a platform-specific TEE that assumes the role of platform security policy inspector; the Trusted Execution Environment (TEE) reads packets of VNFC-VNFC and VNF-VNF networks… The TEE module performs a security assessment of one or more packets of the server based on the retrieved information to determine, whether the packets pose a security threat…).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Aziz and Xu to include the idea to use TEE to detect attacks as taught by Sood so that the platform-specific TEE uses hypervisor access into the various virtual switch interfaces and into TAPs to access traffic data ([019]).
Claim 2: the combination of Aziz, Xu and Sood teaches the method of claim 1, wherein the identified information about the network attack includes at least a portion of code or script for carrying out the network attack, and the signature identifies the network attack based on the at least a portion of code or script. (Xu: [0059] environment detects and prevents malware from causing harm (malicious software includes any executable program, such as active content, executable code, and scripts, that can interfere with the operation of a computing device or computer network, attempt unauthorized access of data or components of a computing device, and/or perform various other malicious, unauthorized, and/or undesirable activities)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea of detecting malicious code as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
Claim 3: the combination of Aziz, Xu and Sood teaches the method of claim 1, wherein the identified information about the network attack includes at least a portion of data obtained by the network attack, and the signature identifies the network attack based on characteristics of the at least a portion of obtained data. (Aziz: col. 10 lines 15-17: the unauthorized activity signature provides code that is used to eliminate or "patch" portions of network data containing an attack).
Claim 4: the combination of Aziz, Xu and Sood teaches the method of claim 3, wherein the characteristics of the at least a portion of obtained data include at least one of: one or more of an identification, data type, number or order of data fields in the at least a portion of obtained data; metadata associated with the at least a portion of obtained data; or the content of the at least a portion of obtained data. (Aziz: col. 9 lines 25-27: fingerprint module determines any type of packet format of a network data (col. 11 lines 3-8) policy engine scans the header of a packet of network data as well as the packet contents for unauthorized activity or scans only the header of the packet for unauthorized activity based on the unauthorized activity signature).
Claim 5: the combination of Aziz, Xu and Sood teaches the method of claim 1 further comprising identifying a subset of the stored network traffic associated with the attack based on the signature. (Aziz: col. 11 lines 5-8: scans only the header of the packet for unauthorized activity based on the unauthorized activity signature. If unauthorized activity is found, then no further scanning may be performed).
Claim 6: the combination of Aziz, Xu and Sood teaches the method of claim 5, wherein the subset of stored network traffic includes network traffic communicated between communication endpoints involved in network traffic corresponding to the signature, the communication endpoints being compromised communication endpoints. (Aziz: col. 11 lines 20-23: If the packet contents or the packet header indicate that the network data contains unauthorized activity, then the policy engine, the heuristic module, or the signature module take action, (col. 12 lines 47-49) the policy engine compares some or all of the network data to a signature (unauthorized activity signature) to detect and/or identify a malware attack).
Claim 7: the combination of Aziz, Xu and Sood teaches the method of claim 6, further comprising identifying data stored or and/or communicated by or via compromised endpoints as compromised data. (Aziz: col. 6 lines 37-42: a newly coupled device is infected with malware which becomes active upon coupling to a switch and/or a communication network. Before the attack can proceed, the newly coupled device sends a separate ARP request for the IP address of every other digital device the malware wishes to send data to. The controller detects and responds to each ARP request by sending an ARP reply to each request with the controller MAC address).
Claim 8: the combination of Aziz, Xu and Sood teaches the method of claim 7, wherein the compromised data is identified as discredited or invalidated. (Aziz: col. 10 lines 18-20: the unauthorized activity signature is used to identify and eliminate the malware causing the attack).
Claim 9: the combination of Aziz, Xu and Sood teaches the method of claim 7 wherein the compromised data is associated with one or more computing services for generating, accessing or processing the compromised data, and the method further comprises implementing protective measures in respect of the one or more computing services. (Aziz: col. 2 lines 27-30: identify other machines on the network, gather information about the network, compromise network security, and/or infect other machines; col. 3 lines 53-59: If malware is identified as present within the digital devices machine, corrective actions are taken).
Claim 10: the combination of Aziz, Xu and Sood teaches the method of claim 7, wherein the compromised data includes one or more of: at least part of an authentication credential; an access (Xu: [0148, 86] a heuristic is applied based on the observation and pattern of malware behavior that some web-based malware steals user cookies for session hijacking, a cookie shall be an authentication token to identify an end user).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea of compromised user cookie as authentication token as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
Claim 11: the combination of Aziz, Xu and Sood teaches the method of claim 7, wherein the compromised data includes at least part of an authentication credential, and the authentication credential is revoked in response to the identification of the compromised data. (Aziz: col. 3 lines 48-59: When a digital device is quarantined, all network data transmitted by the digital device is directed to a controller which then analyzes the network data to identify unauthorized activity and/or malware within the connected digital device. Possible corrective actions include, but are not limited to, permanently quarantining the infected digital device, transmitting a patch to remove the malware, generating an unauthorized activity signature, and sending the unauthorized activity signature to the client to remove the malware, (col. 11 lines 27-29) also policy engine and/or the quarantine module quarantines, deletes, or bars other packets belonging to the same data flow as the unauthorized activity packet).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496