DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 1/12/2021 has been entered and considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 1, 2, 4-13 and 15-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Ackerman et al (US2017/0310692).
Regarding claims 1, 12, and 20, Ackerman teaches a computer-implemented method/computer system/computer program product for protecting a processing environment from malicious incoming network traffic (Introduction), said method comprising:
one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage devices, and program instructions stored on at least one of the one or more computer-readable tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, wherein the computer system is capable of performing a method comprising: a network analysis engine that (Para. 0022; device may include a network interface, a memory, and a processor. The processor may be configured by computer executable code stored in the memory to perform the steps of monitoring outbound traffic from an endpoint in an enterprise network, detecting use of a secure communication protocol with a request from the endpoint): 
in response to receiving incoming network traffic comprising a data packet, performing a packet and traffic analysis of said data packet to determine whether said data packet is non-malicious and malicious, and processing of said data packet in a sandbox environment (Para. 0189; determining a reputation of the application and routing the network message to the destination address conditionally based on the reputation of the application that generated the network message. That is, if the reputation of the application is known and good, then the traffic may be routed as requested by the endpoint according to the routing information in the network traffic. However, if the reputation of the application is known and bad, then the traffic may be sequestered in any suitable manner. For example, the traffic may be dropped. Additional steps may be taken. For example, when the reputation of the application is uncertain, or other information is collectively inconclusive, a sandbox based on the endpoint may be created and used to communicate with the destination address to test for malicious activity); 
in response to detecting that the data packet is non-malicious based on the packet and traffic analysis, releasing said processed data packet from said sandbox environment for further processing in said processing environment (Para. 0189; That is, if the reputation of the application is known and good, then the traffic may be routed as requested by the endpoint according to the routing information in the network traffic; i.e. further processing would be routing the network traffic); and 
in response to detecting that the data packet is malicious based on the packet and traffic analysis, discarding said data packet (Para. 0189; if the reputation of the application is known and bad, then the traffic may be sequestered in any suitable manner. For example, the traffic may be dropped).
Regarding claims 2 and 13, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches wherein said discarding said data packet further comprises: discarding results of said processing of said data packet in said sandbox environment (Para. 0189; if the reputation of the application is known and bad, then the traffic may be sequestered in any suitable manner. For example, the traffic may be dropped. Additional steps may be taken. For example, when the reputation of the application is uncertain, or other information is collectively inconclusive, a sandbox based on the endpoint may be created and used to communicate with the destination address to test for malicious activity).  
Regarding claims 4 and 15, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches further comprising: in response to determining that said data packet is received from an unknown source, caching of said data packet at said endpoint computing device, and suspending said processing of said data packet (Paras. 0071 and 0189; if the reputation of the application is known and bad, then the traffic may be sequestered in any suitable manner. For example, the traffic may be dropped; the term endpoint may refer to a computer system that may source data, receive data, evaluate data, buffer data, or the like; i.e. the endpoint would have a buffer for packets being evaluated so it would be cached and once it is determined to be malicious, it would be dropped and thus processing would be suspended).  
Regarding claims 5 and 16, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches further comprising: processing said data packet in said endpoint computing device after a signal indicating that said data packet is non-malicious has been received (Para. 0189; That is, if the reputation of the application is known and good, then the traffic may be routed as requested by the endpoint according to the routing information in the network traffic; i.e. when the signal indicating known and good is determined, the packet is routed).  
Regarding claim 6, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches wherein said processing of said data packet in a sandbox environment is only performed for data packets from known network traffic sources (Para. 0189; when the reputation of the application is uncertain, or other information is collectively inconclusive, a sandbox based on the endpoint may be created and used to communicate with the destination address to test for malicious activity).  
Regarding claims 7 and 17, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches w wherein said incoming network traffic is a stream of packets and wherein said data packet is selected out of said stream of packets (Para. 0068; the streaming file may be broken into blocks of information, and a plurality of virus identities may be used to check each of the blocks of information for malicious code).  
Regarding claims 8 and 18, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches wherein packets of said stream of packets that are not selected are processed by said endpoint computing environment (Para. 0189; when the reputation of the application is uncertain, or other information is collectively inconclusive, a sandbox based on the endpoint may be created and used to communicate with the destination address to test for malicious activity).  
Regarding claim 9, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches further comprising: suppressing a data packet retransmission request of said data packet until said traffic and packet analysis is completed resulting in said data packet not deemed to be malicious (Para. 0068 and 0189; any blocks that are not determined to be clear of malicious code may not be delivered to the client facility, gateway facility, or network; i.e. if a packet is not determined to be clear, it would not be transmitted or retransmitted).  
Regarding claim 10, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches wherein said processing environment and a network analysis engine that performs said packet and traffic analysis comprises a dynamic caching buffer (Para. 0071; the term endpoint may refer to a computer system that may source data, receive data, evaluate data, buffer data, or the like; i.e. the endpoint would have a buffer to evaluate and buffer data so it would by dynamic in that it is used to store data and this data would continually change based on the packets being evaluated).  
Regarding claim 11, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches wherein said dynamic buffer comprises a first portion and a second portion, wherein said first portion is reserved for data packets from known sources, and wherein said second portion is reserved for data packets from unknown sources (Paras. 0071 and 0189; the term endpoint may refer to a computer system that may source data, receive data, evaluate data, buffer data, or the like; determining a reputation of the application and routing the network message to the destination address conditionally based on the reputation of the application that generated the network message. That is, if the reputation of the application is known and good, then the traffic may be routed as requested by the endpoint according to the routing information in the network traffic. However, if the reputation of the application is known and bad, then the traffic may be sequestered in any suitable manner. For example, the traffic may be dropped. Additional steps may be taken. For example, when the reputation of the application is uncertain, or other information is collectively inconclusive, a sandbox based on the endpoint may be created and used to communicate with the destination address to test for malicious activity; i.e. the endpoint would have a buffer to buffer data being evaluated and this data would be put in buffer locations which would be known to include whether the packet is known or unknown and based on the broadness of the claim language, this would read on that).  
Regarding claim 19, Ackerman teaches the limitations of the previous claims.  Ackerman further teaches wherein said processing environment and the network analysis engine that performs said packet and traffic analysis comprises a dynamic caching buffer, and wherein said dynamic buffer comprises a first portion and a second portion, wherein said first portion is reserved for data packets from known sources, and wherein said second portion is reserved for data packets from unknown sources (Paras. 0071 and 0189; the term endpoint may refer to a computer system that may source data, receive data, evaluate data, buffer data, or the like; determining a reputation of the application and routing the network message to the destination address conditionally based on the reputation of the application that generated the network message. That is, if the reputation of the application is known and good, then the traffic may be routed as requested by the endpoint according to the routing information in the network traffic. However, if the reputation of the application is known and bad, then the traffic may be sequestered in any suitable manner. For example, the traffic may be dropped. Additional steps may be taken. For example, when the reputation of the application is uncertain, or other information is collectively inconclusive, a sandbox based on the endpoint may be created and used to communicate with the destination address to test for malicious activity; i.e. the endpoint would have a buffer to buffer data being evaluated and this data would be put in buffer locations which would be known to include whether the packet is known or unknown and based on the broadness of the claim language, this would read on that).  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 3 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ackerman et al (US2017/0310692) in view of Mushtaq et al  (US 9432646).
Regarding claims 3 and 14, Ackerman teaches the limitations of the previous claims.  
However, Ackerman does not specifically disclose wherein the incoming network traffic data packet is directed in parallel to a network deep packet analysis system and an endpoint computing device.
Mushtaq teaches automatically detecting bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device (Abstract).  He further teaches wherein the incoming network traffic data packet is directed in parallel to a network deep packet analysis system and an endpoint computing device (Col. 9, lines 19-32; local signature matching logic 174 may process captured packets prior to the deep packet inspection logic 176 examining the captured packets, in which case the deep packet inspection logic 176 need only examine packets whose signatures did not have a match. In other embodiments, the deep packet inspection logic 176 may examine captured packets before the local signature matching logic 174 performs its cache lookup, in which case the deep packet inspection's cache lookup need only be performed with respect packet headers having anomalies. This may prove beneficial from a time and resource conservation perspective. Of course, they may also operate in a parallel or overlapping fashion in some embodiments; i.e. the deep packet inspection and signature matching could be done serially or in parallel).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Mushtaq with the teachings as in Ackerman.  The motivation for doing so would have been to detect disparate forms of malware by using two different analysis methods (Mushtaq at Col. 4, lines 8-13).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENT KRUEGER whose telephone number is (303)297-4238.  The examiner can normally be reached on M-F 8:00-5:00 MT.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael Thier can be reached on (571) 272-2832.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/KENT KRUEGER/Primary Examiner, Art Unit 2474