Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 03/17/2022.
Claims 1, 3, 6, 9, and 11 have been amended
Claims 1-11 are pending for consideration.
Response to Arguments
Applicant's arguments filed on 03/17/2022 have been fully considered but they are not persuasive. 
Applicant argues on page 7 of the Remarks that Aziz does not teach or suggest the following amended limitation “determine whether the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string”, as per claims 1, 3, 6, 9, and 11 recite. 
In response to the above argument, Examiner respectfully disagrees. Aziz does teach that a packet is selected from a communication data destined from a certain node and that the communication data is related to a communication port (Column 4, Line 39: “The infected device 105 is configured to transmit network data over the communication network 120 to the destination device 110. The destination device is configured to receive the network data from the infected device 105”). As can be seen in the cited paragraphs, a first packet is being sent from the infected device to a destination device (certain node) by a communication network (communication port). Therefore, Aziz does teach the disputed limitation. Furthermore, Aziz discloses that the communication data will include a character string (Column 5, Line 3: “The tap 115 can also capture metadata from the network data. The metadata can be associated with the infected device 105 and the destination device 110.”). As can be seen in the cited paragraphs, the communication data between the infected device and the destination device will include metadata (string characters). Therefore, Aziz does teach the disputed limitation.
Applicant argues on page 7 of the Remarks that the amended claims 1, 6, and 11 overcome the grounds of the non-statutory obviousness-type double patenting rejection with regards to claims 1, 5, and 9 of co-pending application 16/586,383 in view of Aziz. 
In response to the above argument, Examiner respectfully disagrees. The current application (16/724,487) and the co-pending application (16/586,383) still both disclose the following limitation with claim 1 “A malware inspection support system comprising: one or more memories; and one or more processors coupled to the one or more memories and the one or more processors configured to: when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal ….change a destination address of the first packet to an address of a third terminal belonging to a second system, and transmit the changed first packet to the third terminal”. Furthermore, the current application with the amended claim states “communication data related to a certain communication port” which can be mapped to the following limitation in claim 1 of the co-pending application “generate a port group by grouping a first port to which the first terminal is coupled and a second port to which the second system is coupled, in response to receiving a broadcast packet from the first terminal, transmit the broadcast packet to the port group”. As can be seen in the cited paragraphs, both applications state the means of using ports in order to send a first packet belonging to an infected device to a destination device. 
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 6, and 11 are provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1, 5, and 9 of co-pending Application No. 16/586,383 in view of AZIZ (U.S. Pub. No. 8,898,788 B1). 
Although the claims at issue are not identical, they are not patentable distinct from each other because the instant claims are similar to the claims in the co-pending application to meet the limitations claimed in the co-pending application '383 (see mapping of claim limitations in the following table). The claims of the present application is just a permutation of the claims of the co-pending application '383. Specifically, it would have been obvious to one of ordinary skill in the art before the effective filling date 
that claim 1 of the co-pending application '383 can be used to teach claim 1 of the present application; the teachings of claim 5 from application '383 can be used to teach claim 6 of the present application; the teachings of claim 9 of the co-pending application '383 can be used to teach claim 11 of the present application.
Moreover, the co-pending application 16/586,383 does not claim “and communication data including a certain character string” 
However, AZIZ teaches “and communication data including a certain character string” (Column 5, Line 3: “The tap 115 can also capture metadata from the network data. The metadata can be associated with the infected device 105 and the destination device 110.”) 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of the application ‘383 in order to include a feature where metadata can be captured from the network data that is associated with the infected device and the destination device as taught in AZIZ. One of ordinary skill in the art would have been motivated to do so because Aziz recognizes that if malware is detected within the metadata of the packet then the heuristic module will take action and transfer the packet containing the malware from the first system over to a honey pot system (second system) (Column 8, line 53: The policy engine 235 coupled to the heuristic module 205 and is a module that can identify network data as suspicious based upon policies contained within the policy engine 235.; Column 11 line 41: The interceptor module 240 (second system) can re-route the network data that is the source of the unauthorized activity to the virtual machine to test the unauthorized activity utilizing the virtual machine as a dynamic honey pot.) 
The table presented below shows comparison between the instant claims and the co-pending
application claims. This is a provisional non-statutory obviousness-type double patenting rejection
because the patentably indistinct claims have not in fact been patented.

Current Application 16/724,487



Co-pending Application 16/586,383

Claim 1: A malware inspection support system comprising: one or more memories; and one or more processors coupled to the one or more memories and the one or more processors configured to: when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal, determine whether the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string, when it is determined that the first packet, when it is determined that the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string, when it is determined that the first packet, change a destination address of the first packet to an address of a third terminal belonging to a second system, and transmit the changed first packet to the third terminal.
Claim 1: A malware inspection support system comprising: one or more memories; and one or more processors coupled to the one or more memories and the one or more processors configured to: when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal belonging to the first system, change a destination address of the first packet to an address of a third terminal belonging to a second system, and transmit the changed first packet to the third terminal, generate a port group by grouping a first port to which the first terminal is coupled and a second port to which the second system is coupled, in response to receiving a broadcast packet from the first terminal, transmit the broadcast packet to the port group, and in response to receiving another broadcast packet from the third terminal, change a source address of the other broadcast packet to an address of the second terminal, and transmit the changed other broadcast packet to the port group.
Claim 6: A computer-implemented malware inspection support method comprising: when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal, determining whether the first packet satisfies a includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string; when it is determined that the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string, changing a destination address of the first packet to an address of a third terminal belonging to a second system; and transmitting the changed first packet to the third terminal.


	
Claim 5: A computer-implemented malware inspection support method comprising: when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal belonging to the first system, changing a destination address of the first packet to an address of a third terminal belonging to a second system, and transmitting the changed first packet to the third terminal; generating a port group by grouping a first port to which the first terminal is coupled and a second port to which the second system is coupled; in response to receiving a broadcast packet from the first terminal, transmitting the broadcast packet to the port group; and in response to receiving another broadcast packet from the third terminal, changing a source address of the other broadcast packet to an address of the second terminal, and transmitting the changed other broadcast packet to the port group.
Claim 11) A non-transitory computer-readable medium storing a program executable by one or more computers, the program comprising: one or more instructions for, when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal, determining whether the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string; one or more instructions for, when it is determined that the first packet includes at least one selected from the communication data destined for the certain node, the communication data related to the certain communication port, and the communication data including the certain character string,, changing a destination address of the first packet to an address of a third terminal belonging to a second system; and one or more instructions for transmitting the changed first packet to the third terminal.
Claim 9) A non-transitory computer-readable medium storing instructions executable by one or more computers, the instructions comprising: one or more instructions for, when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal belonging to the first system, changing a destination address of the first packet to an address of a third terminal belonging to a second system, and transmitting the changed first packet to the third terminal; one or more instructions for generating a port group by grouping a first port to which the first terminal is coupled and a second port to which the second system is coupled; one or more instructions for, in response to receiving a broadcast packet from the first terminal, transmitting the broadcast packet to the port group; and one or more instructions for, in response to receiving another broadcast packet from the third terminal, changing a source address of the other broadcast packet to an address of the second terminal, and transmitting the changed other broadcast packet to the port group.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

	Claims 1-11 are rejected under 35 U.S. C. 102(a)(1) as being anticipated by AZIZ (U.S. Pub. No. 8,898,788 B1).
	Per claim 1, AZIZ teaches “A malware inspection support system comprising: one or more memories; and one or more processors coupled to the one or more memories and the one or more processors configured to (Column 3 line 15: A machine readable medium may have embodied thereon executable code, the executable code being executable by a processor for performing a method for malware prevention, the method comprising copying network data from a communication network, determining if a possible malware attack is within the copied network data, intercepting the network data based on the determination, and analyzing the network data to identify a malware attack.) configured to when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal, determine whether the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string (Column 4, Line 39: “The infected device 105 is configured to transmit network data over the communication network 120 to the destination device 110. The destination device is configured to receive the network data from the infected device 105”; Column 5, Line 3: “The tap 115 can also capture metadata from the network data. The metadata can be associated with the infected device 105 and the destination device 110.”; Column 5 line 8: In other embodiments, a heuristic module (described in association with FIG. 2) can determine the infected device 105 (first terminal) and the destination device 110 (second terminal) by analyzing data packets within the network data in order to generate the metadata; Column 5 line 26: The controller 125 (third terminal) includes any digital device or software configured to receive and analyze network data for the presence of malware; Column 9 Line 30: If the packet contents or the packet header indicate that the network data contains unauthorized activity, then the policy engine 235, the heuristic module 205, or the signature module 230 may take action.) when it is determined that the first packet includes at least one selected from the communication data destined for the certain node, the communication data related to the certain communication port, and the communication data including the certain character string (Column 4, Line 39; Column 5, Line 3), change a destination address of the first packet to an address of a third terminal belonging to a second system, and transmit the changed first packet to the third terminal” (Column 4 line 39: The infected device (first terminal) 105 is configured to transmit network data over the communication network 120 (first system) to the destination device 110 (second terminal); Column 14 line 24: In other embodiments, the interceptor module 240 (second system) can perform ARP manipulation or a proxy ARP to intercept network data (first system); Column 14 line 26: In one example, the interceptor module 240 can request that a router or DNS server forward network data to the controller 125 (third terminal) rather than the original destination device (second terminal)).

	Per claim 2 AZIZ further teaches “wherein the second system is a honeypot system for the malware” (Column 11 line 41: The interceptor module 240 (second system) can re-route the network data that is the source of the unauthorized activity to the virtual machine to test the unauthorized activity utilizing the virtual machine as a dynamic honey pot.). 

	Per claim 3 AZIZ further teaches “wherein the one or more processors are configured to: when it is determined that the first packet does not include at least one selected from the communication data destined for the certain node, the communication data related to the certain communication port, and the communication data including the certain character string (Column 4, Line 39; Column 5, Line 3), transmit the first packet to the second terminal without changing the destination address of the first packet” (Column 15 line 11: The copied network data is then analyzed based on a heuristic model associated with the heuristic module 205, at step 505. Based on the heuristic model applied to the copied network data, a determination as to whether the network data contains a possible attack or corrupted data can be made at step 510. The determination may be made based on the heuristic model only or based on further analysis, as discussed herein. If the network data is not identified as possibly containing the attack, the network data (first packet) continues to be transmitted to the IP address of the destination device 110 (second terminal)).

	Per claim 4 AZIZ further teaches “wherein the one or more processors are configured to: when it is determined that the first packet does not satisfy the specific condition, determine whether the first packet is a transmission object, and when it is determined that the first packet is not the transmission object, suspend to transmit the first packet to the second terminal.” (Column 9 Line 30: If the packet contents or the packet header indicate that the network data contains unauthorized activity, then the policy engine 235, the heuristic module 205, or the signature module 230 may take action. In one example, the policy engine 235 may quarantine, delete, or bar the packet from the communications network. The policy engine 235 may also quarantine, delete, or bar other packets belonging to the same data flow as the unauthorized activity packet.)

	Per claim 5 AZIZ further teaches “wherein the determination is performed on a basis of a feature of data included in the first packet.” (Column 5 line 5: The metadata can identify the infected device 105 (first terminal) and/or the destination device 110 (second terminal). In other embodiments, a heuristic module (described in association with FIG. 2) can determine the infected device 105 (first terminal) and the destination device 110 (second terminal) by analyzing data packets within the network data in order to generate the metadata.)

Per claim 6 AZIZ further teaches “A computer-implemented malware inspection support method comprising: when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal, determining whether the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string (Column 4, Line 39; Column 5, Line 3; Column 5 line 8: In other embodiments, a heuristic module (described in association with FIG. 2) can determine the infected device 105 (first terminal) and the destination device 110 (second terminal) by analyzing data packets within the network data in order to generate the metadata; Column 5 line 26: The controller 125 (third terminal) includes any digital device or software configured to receive and analyze network data for the presence of malware; Column 9 Line 30: If the packet contents or the packet header indicate that the network data contains unauthorized activity, then the policy engine 235, the heuristic module 205, or the signature module 230 may take action) when it is determined that the first packet includes at least one selected from the communication data destined for the certain node, the communication data related to the certain communication port, and the communication data including the certain character string (Column 4, Line 39; Column 5, Line 3), changing a destination address of the first packet to an address of a third terminal belonging to a second system; and transmitting the changed first packet to the third terminal” (Column 4 line 39: The infected device (first terminal) 105 is configured to transmit network data over the communication network 120 (first system) to the destination device 110 (second terminal); Column 14 line 24: In other embodiments, the interceptor module 240 (second system) can perform ARP manipulation or a proxy ARP to intercept network data (first system); Column 14 line 26: In one example, the interceptor module 240 can request that a router or DNS server forward network data to the controller 125 (third terminal) rather than the original destination device (second terminal)).

Per claim 7 AZIZ further teaches “wherein the second system is a honeypot system for the malware” (Column 11 line 41: The interceptor module 240 (second system) can re-route the network data that is the source of the unauthorized activity to the virtual machine to test the unauthorized activity utilizing the virtual machine as a dynamic honey pot.). 

Per claim 8 AZIZ further teaches “when it is determined that the first packet does not satisfy the specific condition, transmitting the first packet to the second terminal without changing the destination address of the first packet” (Column 15 line 11: The copied network data is then analyzed based on a heuristic model associated with the heuristic module 205, at step 505. Based on the heuristic model applied to the copied network data, a determination as to whether the network data contains a possible attack or corrupted data can be made at step 510. The determination may be made based on the heuristic model only or based on further analysis, as discussed herein. If the network data is not identified as possibly containing the attack, the network data continues to be transmitted to the IP address of the destination device 110 (second terminal)). 

Per claim 9 AZIZ further teaches “when it is determined that the first packet does not include at least one selected from the communication data destined for the certain node, the communication data related to the certain communication port, and the communication data including the certain character string (Column 4, Line 39; Column 5, Line 3), determining whether the first packet is a transmission object; and when it is determined that the first packet is not the transmission object, suspending to transmit the first packet to the second terminal (Column 9 Line 30: If the packet contents or the packet header indicate that the network data contains unauthorized activity, then the policy engine 235, the heuristic module 205, or the signature module 230 may take action. In one example, the policy engine 235 may quarantine, delete, or bar the packet from the communications network. The policy engine 235 may also quarantine, delete, or bar other packets belonging to the same data flow as the unauthorized activity packet.).

Per claim 10 AZIZ further teaches “wherein the determining is performed on a basis of a feature of data included in the first packet” (Column 5 line 5: The metadata can identify the infected device 105 and/or the destination device 110. In other embodiments, a heuristic module (described in association with FIG. 2) can determine the infected device 105 and the destination device 110 by analyzing data packets within the network data in order to generate the metadata.).

Per claim 11 AZIZ further teaches “A non-transitory computer-readable medium storing a program executable by one or more computers, the program comprising: one or more instructions (Column 3 line 15: A machine readable medium may have embodied thereon executable code, the executable code being executable by a processor for performing a method for malware prevention, the method comprising copying network data from a communication network, determining if a possible malware attack is within the copied network data, intercepting the network data based on the determination, and analyzing the network data to identify a malware attack.) for when a first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for a second terminal, determining whether the first packet includes at least one selected from communication data destined for a certain node, communication data related to a certain communication port, and communication data including a certain character string (Column 4, Line 39; Column 5, Line 3; Column 5 line 8: In other embodiments, a heuristic module (described in association with FIG. 2) can determine the infected device 105 (first terminal) and the destination device 110 (second terminal) by analyzing data packets within the network data in order to generate the metadata; Column 5 line 26: The controller 125 (third terminal) includes any digital device or software configured to receive and analyze network data for the presence of malware; Column 9 Line 30: If the packet contents or the packet header indicate that the network data contains unauthorized activity, then the policy engine 235, the heuristic module 205, or the signature module 230 may take action.); when it is determined that the first packet includes at least one selected from the communication data destined for the certain node, the communication data related to the certain communication port (Column 4, Line 39; Column 5, Line 3), changing a destination address of the first packet to an address of a third terminal belonging to a second system; and one or more instructions for transmitting the changed first packet to the third terminal (Column 4 line 39: The infected device (first terminal) 105 is configured to transmit network data over the communication network 120 (first system) to the destination device 110 (second terminal); Column 14 line 24: In other embodiments, the interceptor module 240 (second system) can perform ARP manipulation or a proxy ARP to intercept network data (first system); Column 14 line 26: In one example, the interceptor module 240 can request that a router or DNS server forward network data to the controller 125 (third terminal) rather than the original destination device (second terminal)). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Stutz (US 20170223052 A1) discloses that some implementations, one or more honeypot network services may be selected to give the appearance of an application server with a particular operating system and network services, and the honeypot network service may be configured to present itself at a particular port and network address to simulate such an application server (¶115).
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application
Information Retrieval (PAIR) system. Status information for published applications may be obtained from
either Private PAIR or Public PAIR. Status information for unpublished applications is available through
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC)
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-
1000.
/SAAD ABDULLAH/
Examiner, Art Unit 2431

/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431