Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02-01-2022 has been entered.

Response to Arguments
Applicant’s arguments, see Remarks, filed on 02-01-2022 with regards to double patenting rejection have been fully considered and are persuasive.  The rejection is withdrawn in light of e-terminal disclaimer filed on 02-01-2022. 
Applicant's arguments filed Remarks filed on 10-13-2021 with regards to 101 (abstract idea) rejection pgs. 2-5 have been fully considered but they are not persuasive. The client argues that “A claim that does not recite a judicial exception cannot be directed to judicial exception. MPEP § 2106.04(II)(A)(1). Applicant respectfully requests withdrawal of the rejections under 35 U.S.C. § 101, as no limitations of the claims are identified as reciting a judicial exception”. The examiner respectfully disagrees with the arguments. The examiner considered the limitations of the claims and the claims as a whole. The claims in app. 16473953 state, generating a copy of the network data, identifying network attack information in the stored data which includes method of MPEP 2111.01 II. The signature shall be replaced by virus, threshold/frequency or vice-versa and the concept will not change. Furthermore, while analyzing the stored traffic for attacks, the attacks already that are ongoing and/or emanated from malicious sources is/are not prevented in any way. The concept of signature generation is considered a pre-solution activity and amounts to mere data gathering, which is a form of insignificant extra-solution activity. The network appliance that performs the comparison step is also recited at a high level of generality. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component (the network appliance). The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component (the network appliance). Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The background of the example does not provide any indication that the network appliance is anything other than a generic, off-the-shelf computer component, and the Symantec, TLI, and OIP Techs. court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection or receipt of data over a network is a well-understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here) and identifying in a stored .
Applicant's arguments filed Remarks filed on 10-13-2021 with regards to 103 rejection pgs. 2-4 have been fully considered but they are not persuasive. The client argues that “The claimed data dump is not analogous to the "network data" received by a "digital data tap," as disclosed by Aziz. Office Action, p. 19 (citing Aziz, col. 5, 11. 22-24). As provided in the Specification of the instant application, "[t]he data dump 204 can be a database storing data, a website hosting data, [or] a network file system having data." Published Application,   [0020]. The data dump "includes at least a portion of the sensitive information 212 arising as a result of a data breach." Id. The data dump also, as claimed, includes "information about [a] network attack, comprising at least one characteristic indicative of a method used to obtain the data dump… None ofAziz, Xu, or Sood, disclose identifying, from a copy ofa data dump, characteristics indicative of a method to obtain that data dump, and the references cannot be combined to teach this feature”. The examiner respectfully disagrees with the arguments. The spec. summary recites: storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system; the computing device generating a copy of data distributed across a network, Pg. 6: Figure 2 data is stored in communication with the network 200 as a data dump. Prior art Aziz teaches in C5L28-30, Fig. 2: The tap copies any portion of the network data (i.e., data dump which is the network traffic data) and the data dump is the storage system storing the received network traffic data in Fig. 7. For example, the tap copies any number of data packets from the network data and provides the data to the controller in Fig. 1, stores the network data which is analogous to the data dump recited in the claim. The data dump can be logs, records, repositories of any given data. Also, data dump nor generating a see referred in Aziz: Boubalos, Chris , "extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives", available at http://seclists.org/honeypots/2003/q2/319 ("Boubalos"), (Jun. 5, 2003)) – therefore the prior art Aziz in combination with Xu and Sood does teach the claimed concept. Also, the characteristic method is merely indicative such as a database query comprising certain columns – that too determined based on query results. This is not same as a flag or some source identifier or identity of the method used to obtain the data – even so that is not novel and is well-known and obvious (Couch US 6618718 (Pub. 2003) discusses query identification module). MPEP 2141.002 VI. PRIOR ART MUST BE CONSIDERED IN ITS ENTIRETY, INCLUDING DISCLOSURES THAT TEACH AWAY FROM THE CLAIMS. Therefore it is understood that signature applied to detect attacks. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore the rejection is maintained.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 6 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites storing a portion of network traffic which includes method of obtaining data, identifying an attack from the stored copy of the traffic and generating a signature to test against stored data. 
Step 1: The claims 1, 5 and 6 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 5 and 6 recites: storing a portion of network traffic, identifying an attack from the stored copy of the traffic and generating a signature to test against stored data, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper with/without a generic computer. Except for words ‘A computer system comprising: a processor and memory…; A non-transitory computer-readable storage element storing computer program code’ respectively in claims 5 and 6, there is nothing in the claim element precludes the step from practically being performed in human mind in an organized way and/or with pen and paper. For example, performing an attack assessment and obtaining various information, in any office or campus traffic and generating an attack vector and using the vector to further scan the copy of data can also be perceived to be done in human mind in an orderly fashion.  

Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: storing a portion of network traffic, identifying an attack from the stored copy of the traffic and generating a signature to test against stored data. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. Fig. 1) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, storing a portion of network traffic, identifying an attack from the stored copy of the traffic and generating a signature to test against stored data amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot not patent eligible. Therefore all the corresponding dependent claims 2 – 4 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Aziz et al (US 9071638) hereafter Aziz and Xu et al (US 20170264626), hereafter Xu and further in view of Sood et al (US 20160094573), hereafter Sood.
Claim 1: Aziz teaches a computer implemented method to generate a signature of a network attack for a network-connected computing system, the signature including rules for identifying the network attack, the method comprising: generating, at [a trusted secure computing] device, a copy of a data dump distributed across a network; (BRI: Pg. 6: data dump 204 can be a database storing data, a website hosting data, a network file system having data or any other network connected mechanism through which the data of data dump 204 is generally accessible via the network 200. For example, the data dump 204 is stored in a public information or data exchange facility such as an internet website for exchanging data publicly) (C16L39-41: storage system comprises a database or other data structure configured to hold and organize data (network data, copies of network data, buffered data) and C5L22-24: tap is a digital data tap that provides a copy of the network data to the controller and (C16L13-16: generates, encrypts, and transmits, C5L13-16: the communication network shall be a private computer network i.e., trusted secure device));
identifying, by [the trusted secure computing device], information about the network attack stored in the copy of the data dump; (col. 2 lines 53-57: analyzing the network data comprises configuring a virtual machine to receive the network data and analyzing the response of the virtual machine to the network data to detect and/or identify a malware attack);
Aziz is silent on the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; generating, by [the trusted secure computing] device, the signature for the network attack based on the identified information about the network attack and identifying, via the signature, a subsequent occurrence of the network attack on a computer network.
the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; ([086] a cookie is a status indicator for a user to mark their interaction history, [0103-109] all the HTTP sessions that potentially expose the malware identifying information (i.e., information about network attack) are identified in the sample data set… command and control (C2) communications represent a significant case for discovering identification information in HTTP session traffic, the reputation of domains as applied in this context provides a useful indication of whether the whole session belongs to a C2 session (i.e., characteristic indicative of a method used to obtain data, this characteristic similar to mechanism explained in pg. 10 specification such as a DB query). In these sessions, if a common key-value pair(s) is identified that exists in all or most of transactions, then such key-value pair(s) is used to store the identity information of malware, [149-170] Figs. 8 and 9 explains watermarking cookies (i.e., characteristic indicative of a method used to obtain data), collecting data in pcap data dumps by crawling public websites and are detonated in virtual environments to identify (malicious) cookie behaviors);and generating, by [the computing device], the signature for the network attack based on the identified information about the network attack and identifying, via the signature, a subsequent occurrence of the network attack on a computer network. ([0042, 47, Fig. 6B] malicious HTTP cookies detection and clustering includes extracting one or more patterns from the cookie to generate the signature. The malware samples are monitored again in a second pass of execution of each of these samples in the clean execution environment executed in malware analysis system).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea to generate ([0077]).
The combination of Aziz and Xu is silent on use of a trusted secure computing device.
But the analogous art Sood teaches use of a trusted secure computing device. ([0019, 38-39] a platform-specific TEE that assumes the role of platform security policy inspector; the Trusted Execution Environment (TEE) reads packets of VNFC-VNFC and VNF-VNF networks… The TEE module performs a security assessment of one or more packets of the server based on the retrieved information to determine, whether the packets pose a security threat…).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Aziz and Xu to include the idea to use TEE to detect attacks as taught by Sood so that the platform-specific TEE uses hypervisor access into the various virtual switch interfaces and into TAPs to access traffic data ([019]).
Claim 5: Aziz teaches a computer system comprising: a processor and memory storing computer program code for generating a signature of a network attack for a network-connected computing system, the signature including rules for identifying the network attack, by: generating, at a [trusted secure computing] device, a copy of a data dump distributed across a network; identifying, by the [trusted secure computing] device, information about the network attack stored in the copy of the data; (BRI: Pg. 6: data dump 204 can be a database storing data, a website hosting data, a network file system having data or any other network connected mechanism through which the data of data dump 204 is generally accessible via the network 200. For example, the data dump 204 is stored in a public information or data exchange facility such as an internet website for exchanging data publicly) (C16L39-41: storage system comprises a database or other data structure configured to hold and organize data (network data, copies of network data, buffered data) and C5L22-24: tap is a digital data tap that provides a copy of the network data to the controller and (C16L13-16: generates, encrypts, and transmits, C5L13-16: the communication network shall be a private computer network i.e., trusted secure device); col. 2 lines 53-57: analyzing the network data comprises configuring a virtual machine to receive the network data and analyzing the response of the virtual machine to the network data to detect and/or identify a malware attack);
Aziz is silent on the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; generating, by the [trusted secure computing] device, the signature for the network attack based on the identified information about the network attack; and identifying, via the signature, a subsequent occurrence of the network attack on a computer network.
But analogous art Xu teaches the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; generating, by the [trusted secure computing] device, the signature for the network attack based on the identified information about the network attack; and identifying, via the signature, a subsequent occurrence of the network attack on a computer network. ([086] a cookie is a status indicator for a user to mark their interaction history, [0103-109] all the HTTP sessions that potentially expose the malware identifying information (i.e., information about network attack) are identified in the sample data set… command and control (C2) communications represent a significant case for discovering identification information in HTTP session traffic, the reputation of domains as applied in this context provides a useful indication of whether the whole session belongs to a C2 session (i.e., characteristic indicative of a method used to obtain data, this characteristic similar to mechanism explained in pg. 10 specification). In these sessions, if a common key-value pair(s) is identified that exists in all or most of transactions, then such key-value pair(s) is used to store the identity information of malware, [149-170] Figs. 8 and 9 explains watermarking cookies (i.e., characteristic indicative of a method used to obtain data), collecting data in pcap data dumps by crawling public websites and are detonated in virtual environments to identify (malicious) cookie behaviors; [0042, 47, Fig. 6B] malicious HTTP cookies detection and clustering includes extracting one or more patterns from the cookie to generate the signature. The malware samples are monitored again in a second pass of execution of each of these samples in the clean execution environment executed in malware analysis system).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea to generate signature to identify network attack as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
The combination of Aziz and Xu is silent on use of a trusted secure computing device.
But the analogous art Sood teaches use of a trusted secure computing device. ([0019, 38-39] a platform-specific TEE that assumes the role of platform security policy inspector; the Trusted Execution Environment (TEE) reads packets of VNFC-VNFC and VNF-VNF networks… The TEE module performs a security assessment of one or more packets of the server based on the retrieved information to determine, whether the packets pose a security threat…).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Aziz and Xu to include the ([019]).
Claim 6: Aziz teaches a non-transitory computer-readable storage element storing computer program code to, when loaded into a computer system and executed thereon, cause the computer system generate a signature of a network attack for a network-connected computing system, the signature including rules for identifying the network attack, by (Fig. 7): generating, at a [trusted secure computing] device, a copy of a data dump  distributed across a network; identifying, by the [trusted secure computing] device, information about the network attack stored in the copy of the data dump; (BRI: Pg. 6: data dump 204 can be a database storing data, a website hosting data, a network file system having data or any other network connected mechanism through which the data of data dump 204 is generally accessible via the network 200. For example, the data dump 204 is stored in a public information or data exchange facility such as an internet website for exchanging data publicly) (C16L39-41: storage system comprises a database or other data structure configured to hold and organize data (network data, copies of network data, buffered data) and C5L22-24: tap is a digital data tap that provides a copy of the network data to the controller and (C16L13-16: generates, encrypts, and transmits, C5L13-16: the communication network shall be a private computer network i.e., trusted secure device); col. 2 lines 53-57: analyzing the network data comprises configuring a virtual machine to receive the network data and analyzing the response of the virtual machine to the network data to detect and/or identify a malware attack);

But analogous art Xu teaches the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump; generating, by the [trusted secure computing] device, the signature for the network attack based on the identified information about the network attack; and identifying, via the signature, a subsequent occurrence of the network attack on a computer network. ([086] a cookie is a status indicator for a user to mark their interaction history, [0103-109] all the HTTP sessions that potentially expose the malware identifying information (i.e., information about network attack) are identified in the sample data set… command and control (C2) communications represent a significant case for discovering identification information in HTTP session traffic, the reputation of domains as applied in this context provides a useful indication of whether the whole session belongs to a C2 session (i.e., characteristic indicative of a method used to obtain data, this characteristic similar to mechanism explained in pg. 10 specification). In these sessions, if a common key-value pair(s) is identified that exists in all or most of transactions, then such key-value pair(s) is used to store the identity information of malware, [149-170] Figs. 8 and 9 explains watermarking cookies (i.e., characteristic indicative of a method used to obtain data), collecting data in pcap data dumps by crawling public websites and are detonated in virtual environments to identify (malicious) cookie behaviors; [0042, 47, Fig. 6B] malicious HTTP cookies detection and clustering includes extracting one or more patterns from the cookie to generate the signature. The malware samples are monitored again in a second pass of execution of each of these samples in the clean execution environment executed in malware analysis system).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea to generate signature to identify network attack as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
The combination of Aziz and Xu is silent on use of a trusted secure computing device.
But the analogous art Sood teaches use of a trusted secure computing device. ([0019, 38-39] a platform-specific TEE that assumes the role of platform security policy inspector; the Trusted Execution Environment (TEE) reads packets of VNFC-VNFC and VNF-VNF networks… The TEE module performs a security assessment of one or more packets of the server based on the retrieved information to determine, whether the packets pose a security threat…).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Aziz and Xu to include the idea to use TEE to detect attacks as taught by Sood so that the platform-specific TEE uses hypervisor access into the various virtual switch interfaces and into TAPs to access traffic data ([019]).
Claim 2: the combination of Aziz, Xu and Sood teaches the method of claim 1. wherein the identified information about the network attack includes at least a portion of code or script for carrying out the network attack, and the signature identifies the network attack based on the at least a portion of code or script. (Xu: [0059] environment detects and prevents malware from causing harm (malicious software can include any executable program, such as active content, executable code, and scripts, that can interfere with the operation of a computing device or computer network, attempt unauthorized access of data or components of a computing device, and/or perform various other malicious, unauthorized, and/or undesirable activities)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Aziz to include the idea of analyzing code or script as taught by Xu so that efficiently and effectively detect the malicious traffic with higher accuracy ([0077]).
Claim 3: the combination of Aziz, Xu and Sood teaches the method of claim 1, wherein the identified information about the network attack includes at least a portion of data obtained by the network attack, and the signature identifies the network attack based on characteristics of the at least a portion of obtained data. (Aziz: col. 10 lines 15-17: the unauthorized activity signature provides code that is used to eliminate or "patch" portions of network data containing an attack).
Claim 4: the combination of Aziz, Xu and Sood teaches the method of claim 3, wherein the characteristics of the obtained data include at least one of: one or more of an identification, a data type, a number, or an of and order of data fields in the obtained data; metadata associated with the obtained data; and/or or the content of the obtained data. (Aziz: col. 9 lines 25-27: fingerprint module determines any type of packet format of a network data (col. 11 lines 3-8) policy engine scans the header of a packet of network data as well as the packet contents for unauthorized activity or scans only the header of the packet for unauthorized activity based on the unauthorized activity signature).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/BADRINARAYANAN /Examiner, Art Unit 2496.