Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Gayathri N. Ranganathan on 3/3/22.

The application has been amended as follows: 

1.- 20. (Previously Cancelled)

21.	(Previously Presented) An apparatus, comprising:
	a memory; and
	a hardware processor communicatively coupled to the memory,

the hardware processor configured to intercept a second communication, the second communication being from a second application executing at a second compute device, the second communication addressed to a second server different from the second compute device,
	the hardware processor configured to identify the first application to be from a first class from a plurality of classes based on the first application having a first inherent capability specific to the first class ;
the hardware processor configured to identify the second application to be from a second class different from the first class and from the plurality of classes based on the second application having a second inherent capability specific to the second class;
	the hardware processor configured to generate a first authentication challenge based on the first application being identified as being from the first class; 
the hardware processor configured to generate a second authentication challenge different than the first authentication challenge and based on the second application being identified as being from the second class; 
the hardware processor configured to send the first authentication challenge to the first compute device and send the second authentication challenge to the second compute device via a network, 
	the hardware processor configured to receive from the first compute device a first automatic non-user-interactive response to the first authentication challenge, the first automatic non-user-interactive response being generated by the first application using the first inherent capability; 
	 the hardware processor configured to receive from the second compute device a second automatic non-user-interactive response to the second authentication challenge, the second automatic non-user-interactive response being generated by the second application using the second inherent capability;
the hardware processor configured to detect, based on the first automatic non-user-interactive response, an identity characteristic of the first application, and detect, based on the 
the hardware processor configured to determine whether the first application is malware based at least in part on the identity characteristic of the first application and determine whether the second application is malware based at least in part on the identity characteristic of the second application.

22.	(Previously Presented) The apparatus of claim 21, wherein the hardware processor is configured to identify the first application as malware based on the first automatic non-user-interactive response not being valid for the identity characteristic of the first application or identify the second application as malware based on the second automatic non-user-interactive response not being valid for the identity characteristic of the second application.

23.	(Previously Presented) The apparatus of claim 21, wherein the hardware processor is configured to block the first communication from being sent to the server in response to identifying the first application as malware.

24.	(Previously Presented) The apparatus of claim 21, wherein the hardware processor is configured to forward the first communication to the server in response to identifying the first application as not being malware.

25.	(Previously Presented) The apparatus of claim 21, wherein the first authentication challenge includes a primitive and the first application can use the first inherent capability to recognize the primitive as an indication that the first application is not compromised as malware.

26.	(Previously Presented) The apparatus of claim 21, wherein the first authentication challenge is an active content challenge for the first application, the hardware processor being further configured to block the first communication from being sent to the server in response to identifying the first application as malware.



28.	(Canceled) 

29.	(Canceled).

30.	(Currently Amended) The non-apparatus of claim [[28]] 21, the configured to: 
	 allow the first communication to be sent to the first server in response to identifying the first application as not malware.

31.	(Currently Amended) The apparatus of claim [[28]] 21, the configured to:
 analyze network behavior and communication characteristics associated with the first communication to identify expected variations in values of fields associated with the first communication, the fields denoting a source or a destination associated with the first communication, the first class being determined based on the expected variations of the values of the fields.

32.	(Cancelled) 

33.	(Currently Amended) The apparatus of claim [[28]] 21, wherein the first class is associated with a communication protocol type that is at least one of a hypertext transfer protocol (HTTP) type, a hypertext transfer protocol secure (HTTPS) protocol type, or a Voice Over IP (VoIP) protocol type.


	receiving data from a first application of a first compute device initiating a communication with a first server;
receiving data from a second application of a second compute device initiating a communication with a second server;
	identifying the first application to be from a first class from a plurality of classes of client applications;
identifying the second application to be from a second class different than the first class and from the plurality of classes of client applications;
determining, based on the first application being from the first class, an inherent capability specific to the first class;
	determining, based on the second application being from the second class, an inherent capability specific to the second class and different from the inherent capability specific to the first class;
generating a first request that the first application can recognize using the inherent capability specific to the first class, and a second request that the second application can recognize using the inherent capability specific to the second class;
	sending the first request to the first compute device and the second request to the second compute device;
	receiving, from the first compute device and in response to the first request, a first automatic non-user-interactive response associated with the first application; 
receiving, from the second compute device and in response to the second request, a second automatic non-user-interactive response associated with the second application;
detecting an identity characteristic of the first application based on the first automatic non-user-interactive response and an identity characteristic of the second application based on the second automatic non-user-interactive response;
identifying whether the first application is malware based at least in part on the identity characteristic of the first application; and
	identifying whether the second application is malware based at least in part on the identity characteristic of the second application.



36.	(Previously Presented) The method of claim 34, further comprising: 
	blocking the first application from initiating communication with the first server in response to identifying the first application as malware.

37.	(Previously Presented) The method of claim 34, further comprising: 
	 allowing the first compute device to initiate communication with the first server in response to identifying the first application as not being malware.

38.	(Previously Presented) The method of claim 34, wherein the first class is associated with a communication protocol type that is at least one of a hypertext transfer protocol (HTTP) type, a hypertext transfer protocol secure (HTTPS) protocol type, or a VoIP protocol type, and the first request is an active content challenge, the method further comprising:
blocking the first application from initiating communication with the first server in response to identifying the first application as malware.

39.	(Previously Presented) The method of claim 34, wherein the first request is an active content challenge for the first application.

40.	(Previously Presented) The method of claim 34, wherein the first request is a redirect request and the first application is identified as a browser application.

41.	(Previously Presented) The method of claim 34, wherein a communication protocol type associated with the data from the first application is at least one of: HTTP, HTTPS, Voice Over IP (VoIP), Session Description Protocol, Session Initiation Protocol, Real Time Transport Protocol, or Real Time Transport Control Protocol.



43. 	(Cancelled) 

44. 	(Previously Presented) The method of claim 34, further comprising: determining a communication protocol type associated with the data from the first application via protocol fingerprinting, the identifying the first application to be from the first class being based on the communication protocol type.

45. 	(Previously Presented) 	The method of claim 34, wherein the first request is an active content challenge for the first application and a communication protocol type associated with the data from the first application is VoIP, the method further comprising:
	identifying an implementation of the communication protocol type to be at least one of Asterix, sipX, PBX, or Skype, the generating the first request being further based on the implementation of the communication protocol type.

46. 	(Previously Presented) The method of claim 34, wherein the first request is an active content challenge for the first application and a communication protocol type associated with the data from the first application is VoIP, the method further comprising:
	allowing the first compute device to initiate communication with the first server in response to identifying the first application as not being malware.

47.	(Previously Presented)	The method of claim 34, wherein a communication protocol type associated with the data from the first application is a VoIP protocol type, the method further comprising:
detecting, based on a set of predefined features, a set of VoIP clients associated with the data from the first application , the set of predefined features including "User-Agent", "Audio Codec" or "Status Code”, the generating the first request being further based on the detecting the set of VoIP clients.

48.	(Previously Presented)	An apparatus, comprising:
	a memory; and
	a hardware processor communicatively coupled to the memory,
	the hardware processor configured to intercept a first communication, the first communication being from a first application executing at a first compute device, the first communication addressed to a first server different from the first compute device, 
	the hardware processor configured to determine a communication protocol type of the first communication to be a Voice Over IP (VoIP) protocol type;
the hardware processor configured to intercept a second communication, the second communication being from a second application executing at a second compute device, the second communication addressed to a second server different from the second compute device, 
	the hardware processor configured to determine a communication protocol type of the second communication to be at least one of hypertext transfer protocol (HTTP) or hypertext transfer protocol secure (HTTPS) protocol type;
	the hardware processor configured to select a first request based on the determination that the communication protocol type of the first communication is a VoIP protocol type, the first request being defined to be recognized by applications using VoIP protocol ; 
the hardware processor configured to send the first request to the first compute device via a network; 
the hardware processor configured to select a second request different from the first request and based on the determination that the communication protocol type of the second communication is at least one of HTTP or HTTPS protocol type, the second request being defined to be recognized by applications using HTTP or HTTPS;
	the hardware processor configured to receive from the first compute device an automatic non-user-interactive response to the first request and from the second compute device an automatic non-user-interactive response to the second request; 
the hardware processor configured to identify whether the first application or the second application is malware based at least in part on the automatic non-user-interactive response to the first request and the automatic non-user-interactive response to the second request; 

the hardware processor configured to block the second communication from being sent to the second server in response to identifying the second application as malware.

Reasons for Allowance 

The following is an examiner’s statement of reasons for allowance: 

Claims 21-27, 30-31, 33-42, and 44-48 are allowed over the prior art of record.  Claims are allowed due to Applicant amendments that make the claims allowable at least over the prior art Nice US 2009/0300739, Chen US 2004/0093372, and Stanko US 7,246,230.
The claims should be viewed as allowable in their entirety.  The claims are non-obvious over the combination cited above.  No single element should be viewed as novel from the claims as stated.  It is the combination of elements that make the claims allowable over the prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439