Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1 - 6 have been amended
Claims 1 - 6 are allowed. 
Allowable Subject Matter
Claims 1-6 are allowed. The following is an examiner’s statement of reason for allowance: the following prior arts were yielded during examination of the claims filed on September 25, 2020. They do not explicitly teach the applicant’s claimed invention, but they are in general realm of applicant’s field of endeavor:
ELLIS (US-20100199349-A1): This prior art teaches a method to detect computer worms in a network. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.
ELLIS does teach “A computer implemented method of protecting a portion of a computer network from malware attack,” ([ELLIS, para. 0011] “The present invention is a method, apparatus, and a computer program product for automatically detecting the presence of a worm in a computer network.”) ([ELLIS, para. 0012] “In order for a worm to infect another host, the worm must communicate with that host. Hence traffic is generated as a worm infects or attempts to infect another host. A particular feature of the traffic that is generated is described as a traffic behavior.”) ([ELLIS, para. 0013] “The traffic in the computer network is monitored to identify the occurrences of traffic behaviors. Examples of traffic behaviors are the transmission of any IP packet, the presence of a half-open TCP connection, and a sequence of packets which match a predetermined pattern.”) the computer network comprising network connected devices organized into hierarchical subnets modelled by a tree data structure in which each subnet is represented as a node in the tree data structure, each node having a connection to a parent node save for a root node, the method comprising: ([ELLIS, para. 0015] “To determine if one or more traffic behaviors are propagating across the network, the identified traffic behavior occurrences are organized into a data structure representing a tree. The nodes of the tree represent hosts which exhibited the traffic behavior and the links of the tree represent the occurrence of a traffic behavior. Some worms are capable of exploiting multiple vulnerabilities and therefore may exhibit multiple traffic behaviors as they spread across the network. Hence, the links in the tree may not all represent the same traffic behavior. The data structure may not explicitly need to maintain both node and link information. If all the links represent the same traffic behavior, the data structure may simply maintain information for each node and its depth in the tree.”) ([ELLIS, para. 0016] “Once the data structure representing the tree is formed, the characteristics of the tree are examined to detect a possible presence of a worm. Some of the characteristics checked are the depth, the number of nodes, the average branching factor for each depth of the tree, the average branching factor for the internal nodes of the tree, and the average propagation time to the first descendant at each depth of the tree. For example, if the branching factor of the internal nodes is greater than a small threshold (e.g., four) and the average propagation time is much less than a second, then there is a strong indication that the traffic behaviors were actually caused by a worm rather than by some other non-malicious activity.”) generating a dynamical system for each subnet in the computer network, each dynamical system modelling a rate of change of a number of network connected devices in the subnet that are: ([ELLIS, Para. 0040] “The present invention uses the knowledge that worms produce traffic behaviors as it infects new hosts and that worms exhibit certain propagation characteristics to detect the presence of a new worm.”) ([ELLIS, Para. 0017] “Furthermore, subsets of the tree may be inspected to identify worm-like symptoms. In a tree formed by multiple traffic behaviors, the presence of alpha-in alpha-out and server-to-client worm-like symptoms may provide additional indications that a worm is present: Once a host in the tree has been identified as a possible worm infected host, other hosts in the tree that have exhibited the same traffic behavior as the one exhibited by the possible worm-infected host may also be identified as potential worm-infected hosts.”) susceptible to infection by malware; infected by the malware; protected against infection by the malware; and susceptible to infection by malware; infected by the malware; ([ELLIS, para. 0112] “If an examination of a tree-like data structure indicates the possible presence of a worm, the hosts in the tree-like data structure are identified as possible worm-infected hosts. The possible worm-infected hosts can be automatically quarantined utilizing strategies described above. In addition, the present invention may notify a natural person such as an administrator of the network, for example, through email, notifications which are displayed on the natural person's computer display, and other alert mechanisms to indicate that a possible presence of a worm has been detected.”) ([ELLIS, para. 0062] “Once a host has been identified as a possible worm-infected host, the host may be quarantined. For example, the host may be isolated so that it may not transmit or receive all or particular types of IP packets. The host may also be placed in a separate virtual LAN (VLAN) partition.”) and associating the risk with a node in the tree data structure corresponding to the subnet ([ELLIS, para. 0017] “Once a host in the tree has been identified as a possible worm infected host, other hosts in the tree that have exhibited the same traffic behavior as the one exhibited by the possible worm-infected host may also be identified as potential worm-infected hosts.”) ([ELLIS, para. 0063] “In a configuration where portions of a network are subdivided by different sensors where smaller sensors monitor only a region and a larger sensor monitors multiple regions, if the smaller sensor identifies a host as a possible worm-infected host, the host may be escalated to the larger sensor for further observation. Since the larger server is capable of monitoring more traffic, it may be able to observe the propagation of traffic behaviors in greater detail.”) ……… identifying a first subset of nodes in the tree data structure for which a risk of infection is below a predetermined threshold level of risk; and ([ELLIS, para. 0049] “If the depth of the tree is greater than some threshold value, the traffic behavior has propagated to some threshold depth and therefore may indicate that the hosts are infected by a worm.”) ([ELLIS, para. 0050] “If the number of nodes in the tree is greater than some threshold, the traffic behavior has propagated to some threshold number of hosts and therefore may indicate that the hosts are infected by a worm.”) ….. performing protective actions on the devices in the subnets associated with each of the first subset of nodes to provide protection against the malware, …… to impede propagation of the malware to devices in subnets associated with each of the first subset of nodes. ([ELLIS, para. 0112] “Once all the traffic behavior occurrences that have been detected from the packet traces of the feature window 604 are organized into tree-like data structures such as the descendants matrix, each tree-like data structure is examined to determine if the propagation of traffic behavior occurrences exhibits worm-like propagation. For example, the depth of the tree, the number of nodes in the tree, the average branching factor for each depth of the tree, the average branching factor for the internal nodes of the tree and the average propagation time of the tree can be computed and compared to threshold values to determine if a presence of a worm is likely. If an examination of a tree-like data structure indicates the possible presence of a worm, the hosts in the tree-like data structure are identified as possible worm-infected hosts. The possible worm-infected hosts can be automatically quarantined utilizing strategies described above.”).
However, ELLIS does not teach “…… protected against infection by the malware; and the dynamical systems being based on rates of transmission of the malware between all pairs of subnets; evaluating, for each subnet in the computer network, a measure of risk of infection for the subnet at a predetermined point in time based on the dynamical systems ……. identifying a second subset of nodes in the tree data structure as a subset of the first subset, the second subset comprising nodes having a connection to a node in the tree data structure having a risk of infection meeting or exceeding the predetermined threshold level of risk; and ……… prioritizing devices in the subnets associated with the second subset of nodes so as to provide a barrier of subnets protected against the malware.

LIANG (US-20050050338-A1): This prior art teaches a method for monitoring network level viruses. A network level virus monitoring system capable of monitoring a flow of network traffic in any of a number of inspection modes depending upon the particular needs of a system. The monitoring provides an early warning of a virus attack thereby facilitating quarantine procedures directed at containing a virus outbreak. 
LIANG does disclose “A computer implemented method of protecting a portion of a computer network from malware attack, ([LIANG, Para. 0062] “In order to protect network 100, the virus monitors 102 continuously monitor network traffic for potential viral attacks.”) the computer network comprising network connected devices organized into hierarchical subnets …… each node having a connection to a parent node save for a root node, the method comprising: ([LIANG, para. 0046, Fig. 1] “Generally, a network is divided into a hierarchy using a geographical classification, a management classification and detailed information. The hierarchy is accordingly displayed in the form of a map having a number of levels. Accordingly, network 100 is structured along the lines of a tiered network architecture with a hierarchy of three tiers. In this particular architecture, various multi-service switches are used to provision subscriber services at the first tier of the network (i.e., the Internet backbone, for example).”) ([LIANG, para. 0047] “A tier 1 switch (shown as switch 118) can be used to consolidate traffic from many subscribers and may also may perform traffic shaping, depending on the network architecture. In some cases, the tier 1 switch 118 then can be connected to a tier 2 switch 120 which, in turn, is connected to a tier 3 switch 122, thereby providing further traffic concentration”) generating a dynamical system for each subnet in the computer network, ([LIANG, para. 0045] “Accordingly, FIG. 1 shows a virus monitoring system implemented on a distributed network 100 having a network virus monitor 102 in accordance with an embodiment of the invention.”) ([LIANG, para. 0048] “virus monitor 102 is placed between the tier 2 switch 122 and the lower level tier 3 switch 124 to which the various client devices 104-116 are coupled. In this way, all network traffic between the tier 2 switch (which may be coupled directly to the Internet backbone, for example) and any of the tier 3 switches can be monitored by the virus monitors 102 at a point prior to any of the client devices.”) …… susceptible to infection by malware; infected by the malware; protected against infection by the malware; and remediated of infection by the malware, ([LIANG, para. 0069] “Once the affected computers have been identified, a virus cleaning agent will be identified that when used has the effect of both cleaning the affected computers, inoculating the cleaned computers from subsequent infections, and inoculating unaffected, but threatened computers, from infection of the virus.”) ([LIANG, para. 0068] “Once a number of client devices have been identified as most likely to be compromised by a virus V, (such as client devices 104 and 106 in this example), the affected client devices and restricted in such a way that each of the affected client devices are blocked from communication with even those clients devices in the affected network segment.”) ([LIANG, para. 0074] “For those computers uninfected by the virus V, the anti-virus agent V1 is used to inoculate (or “lock the door” so to speak) those computers against subsequent infection by the computer virus V. Once it has been determined that all computers in the network segment 602 have been either cleaned, repaired and inoculated or merely inoculated, the quarantine of the network segment 602 (and more importantly the formerly infected with the computer virus V client devices 104 and 106) is ended.”). …… and associating the risk with a node in the tree data structure corresponding to the subnet; ([LIANG, para. 0067] “Therefore, each of the virus monitors 102 that have detected a virus or viruses in the associated traffic flow will dispatch a corresponding event report to the associated controller 126.”) ([LIANG, para. 0066] “It should be noted, that although not explicitly shown in the various figures, the number of virus monitors can be as large a number as necessary to adequately monitor the traffic flow. Therefore, in the case of a nascent virus attack, it is very desirable to determine as quickly as possible both the extent of the virus attack and the probability of the attack becoming a general virus outbreak that threatens the integrity of the entire network 100.”) …….. performing protective actions on the devices in the subnets associated with each of the first subset of nodes to provide protection against the malware, …… to impede propagation of the malware to devices in subnets associated with each of the first subset of nodes. ([LIANG, para. 0074] “Once it has been determined that all computers in the network segment 602 have been either cleaned, repaired and inoculated or merely inoculated, the quarantine of the network segment 602 (and more importantly the formerly infected with the computer virus V client devices 104 and 106) is ended. At some point, however, a decision is made whether or not to inoculate all the client devices in network 100 against the virus V.”) ([LIANG, para. 0075] “In addition, a number of heretofore uninfected client devices (i.e., 108, 125, and 110-114) have been inoculated by the anti-virus agent V1 against future infections by the virus V.”).
However, LIANG does not teach “…… modelled by a tree data structure in which each subnet is represented as a node in the tree data structure, …… each dynamical system modelling a rate of change of a number of network connected devices in the subnet that are: …… the dynamical systems being based on rates of transmission of the malware between all pairs of subnets; evaluating, for each subnet in the computer network, a measure of risk of infection for the subnet at a predetermined point in time based on the dynamical systems …… identifying a first subset of nodes in the tree data structure for which a risk of infection is below a predetermined threshold level of risk; and identifying a second subset of nodes in the tree data structure as a subset of the first subset, the second subset comprising nodes having a connection to a node in the tree data structure having a risk of infection meeting or exceeding the predetermined threshold level of risk; and ….. prioritizing devices in the subnets associated with the second subset of nodes so as to provide a barrier of subnets protected against the malware”.

JUNG (US-20080005124-A1): This prior art teaches a method to implement a malware countermeasure in a network device.  The network device includes a network analyzer module operable to monitor a plurality of networked nodes for an indicium of an activity at each respective node. The network device includes a dissemination module operable to facilitate distribution of a malware countermeasure to a first set of networked nodes.
JUNG does disclose “A computer implemented method of protecting a portion of a computer network from malware attack, the computer network comprising network connected devices organized into hierarchical subnets …… each node having a connection to a parent node save for a root node, the method comprising: ([JUNG, Abstract] “Embodiments include a system, an apparatus, a device, and a method. An embodiment provides a network device. The network device includes an information store operable to save a countermeasure useable in at least substantially reducing a harm caused by a malware (hereafter the “malware countermeasure”).”) ([JUNG, para. 0077] “FIG. 11 illustrates an exemplary environment 700. The exemplary environment includes a network that includes a plurality of sub-network nodes 750. The plurality of sub-network nodes include a first sub-network of the plurality network nodes, illustrated as a first sub-network 752 that includes nodes N10-N13, and a second sub-network of the plurality of network nodes, illustrated as a second sub-network 754 that includes nodes N2-N6. In an embodiment, the plurality of sub-network nodes may be at least substantially similar to the plurality of networked nodes 250 of FIG. 2. The exemplary environment also includes a network device 710, illustrated as a node N1.”) generating a dynamical system for each subnet in the computer network, …… infected by the malware; protected against infection by the malware; and remediated of infection by the malware, ([JUNG, para. 0074] “The network analyzer module includes a network analyzer module operable to monitor each respective node of the plurality of networked nodes for an indicium of an activity. The dissemination module includes a dissemination module operable to distribute a malware countermeasure to a first set of nodes of the plurality of networked nodes in a manner responsive to the indicium of an activity corresponding to the first set of networked nodes of the plurality of networked nodes.”) ([JUNG, para. 0080] “In an embodiment, the protection circuit 716 further includes a protection circuit for applying the malware countermeasure in the network device 710. In another embodiment, the protection circuit further includes a protection circuit for implementing the malware countermeasure in the network device. The implementing the malware countermeasure includes closing at least one port (not shown) of the network device. In a further embodiment, the protection circuit further includes a protection circuit for implementing the malware countermeasure in the network device, the implementing the malware countermeasure including at least substantially isolating the network device from a network. For example, the network device may be isolated from the plurality of sub-networks 750. Alternatively, the network device may be isolated from the Internet (not shown). In another embodiment, the protection circuit further includes a protection circuit for implementing the malware countermeasure in the network device, the implementing the malware countermeasure including at least substantially isolating at least one sub-network of the plurality sub-networks from the network device. For example, the network device may isolate the sub-network 752 from the network device.”) ……. and associating the risk with a node in the tree data structure corresponding to the subnet; ([JUNG, para. 0005] “The method includes monitoring a plurality of networked nodes for an indicium of an activity at each respective node. The method also includes facilitating a distribution of a countermeasure to a first set of networked nodes of the plurality of networked nodes in a manner responsive to an indicium of an activity associated with the first set of networked nodes of the plurality of networked nodes, the countermeasure useable in at least substantially reducing a harm presented by a malware (hereafter the “malware countermeasure”) to a networked device and/or a node of a network”) …… performing protective actions on the devices in the subnets associated with each of the first subset of nodes to provide protection against the malware, ….. to impede propagation of the malware to devices in subnets associated with each of the first subset of nodes. ([JUNG, para. 0012] “The computer-program product also includes program instructions operable to perform a process in a computing device. The process includes saving a countermeasure useable in at least substantially reducing a harm presented by a malware to a networked device and/or a node of a network (hereafter the “malware countermeasure”). The process also includes determining if a criterion for implementation of the malware countermeasure is met. The process further includes implementing the malware countermeasure in the computing device if the criterion is met for implementation of the malware countermeasure.”).
However, JUNG does not teach “modelled by a tree data structure in which each subnet is represented as a node in the tree data structure, each node having a connection to a parent node save for a root node, the method comprising: …… each dynamical system modelling a rate of change of a number of network connected devices in the subnet that are: susceptible to infection by malware; …… the dynamical systems being based on rates of transmission of the malware between all pairs of subnets;  evaluating, for each subnet in the computer network, a measure of risk of infection for the subnet at a predetermined point in time based on the dynamical systems …… identifying a first subset of nodes in the tree data structure for which a risk of infection is below a predetermined threshold level of risk; and identifying a second subset of nodes in the tree data structure as a subset of the first subset, the second subset comprising nodes having a connection to a node in the tree data structure having a risk of infection meeting or exceeding the predetermined threshold level of risk ……. prioritizing devices in the subnets associated with the second subset of nodes so as to provide a barrier of subnets protected against the malware  ”.

OMOTE (US-20070220606-A1): This prior art discloses a method to prevent a worm from spreading through out a network. This is done by a computer program for determining parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm. The computer program causes a computer to execute calculating infectivity of the worm based on number of nodes connected to the network; and estimating, an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets.
OMOTE does teaches “A computer implemented method of protecting a portion of a computer network from malware attack, ……. each node having a connection to a parent node save for a root node, the method comprising: ([OMOTE, para. 0010] “one aspect of the present invention stores therein a computer program for determining parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm. The computer program causes a computer to execute calculating infectivity of the worm based on number of nodes connected to the network”) ([OMOTE, para. 0062] “Anti-worm-measure means 210 such as an anti-worm-measure program or a firewall program, which is means for preventing infection of worms from other nodes to the own nodes and infection of worms from the own nodes to the other nodes, is installed in the nodes 201 to 202. According to the first embodiment, it is assumed that the anti-worm-measure means 210 are installed in all the nodes connected to the networks in the same manner. The anti-worm-measure parameter determining apparatus 100 is used for determining parameters for the anti-worm-measure means 210 to detect and block the worms.”) ([OMOTE, para. 0053] “the blocking of the communication by the worm is completed at a stage when thirty-nine worm packets are transmitted from an infected node, it is possible to prevent the worm from spreading with the infected node as an origin.”) generating a dynamical system for each subnet in the computer network, each dynamical system modelling a rate of change of a number of network connected devices in the subnet that are: susceptible to infection by malware; infected by the malware; protected against infection by the malware; and ([OMOTE, para. 0055] “If anti-worm-measure means are installed in all the nodes connected to the networks and the respective anti-worm-measure means set-anti-worm-measure parameters to allow leakage of worm packets with a limit set at the limit number of leaked packets in the respective networks, it is possible to prevent spread of the worm to the entire networks.”) ([OMOTE, para. 0057] “It is possible to calculate the number of worm packets transmitted from one infection source and leaked in this period by multiplying length of this period (hereinafter, “blocking time”) by the number of worm packets that the worm transmits in a fixed time (hereinafter, “spreading speed”).”) ([OMOTE, para. 0123] “An anti-worm-measure means 510 such as an anti-worm-measure program or a firewall program, which is means for preventing infection of worms from other nodes to the own nodes and infection of worms from the own nodes to the other nodes, is installed in the nodes 501 to 502. According to the third embodiment, it is assumed that the anti-worm-measure means 510 are installed in all the nodes connected to the networks in the same manner.”) the dynamical systems being based on rates of transmission of the malware between all pairs of subnets; ([OMOTE, para. 0057] “As shown in the figure, even if the anti-worm-measure means determines that specific communication is communication by a worm and starts blocking of the communication, there is a slight time lag until the blocking is completed. It is possible to calculate the number of worm packets transmitted from one infection source and leaked in this period by multiplying length of this period (hereinafter, “blocking time”) by the number of worm packets that the worm transmits in a fixed time (hereinafter, “spreading speed”).”) …… identifying a first subset of nodes … for which a risk of infection is below a predetermined threshold level of risk; and ([OMOTE, para. 0151] “Furthermore, according to an embodiment of the present invention, the anti-worm-measure means sets the number of packets allowed to be leaked considering that the infection of the worm does not spread exceeding the predetermined upper limit number. Thus, there is an effect that, even when it is impossible to prevent the spread if the, infection of the worm spreads exceeding the predetermined upper limit number, it is possible to set anti-worm-measure parameters to prevent the worm from being spread.”) …… performing protective actions on the devices in the subnets associated with each of the first subset of nodes to provide protection against the malware, …... to impede propagation of the malware to devices in subnets associated with each of the first subset of nodes. ([OMOTE, para. 0014] “A number-of-nodes limiting system according to still another aspect of the present invention limits number of nodes connectable to a network when an anti-worm-measure means is set to start blocking of a communication by a worm at predetermined timing, for preventing a spread of the worm.”]) ([OMOTE, para. 0145] “As described above, according to the third embodiment, an upper limit of the number of nodes, with which a worm does not spread, is calculated based on the setting and the like of the anti-worm-measure apparatus. Thus, even when it is impossible to prevent spread of a worm by changing the setting of the anti-worm-measure apparatus, it is possible to prevent spread of the worm by limiting the number of nodes.”).
However, OMOTE does not teach “the computer network comprising network connected devices organized into hierarchical subnets modelled by a tree data structure in which each subnet is represented as a node in the tree data structure, …… remediated of infection by the malware …… evaluating, for each subnet in the computer network, a measure of risk of infection for the subnet at a predetermined point in time based on the dynamical systems and associating the risk with a node in the tree data structure corresponding to the subnet identifying a second subset of nodes in the tree data structure as a subset of the first subset, the second subset comprising nodes having a connection to a node in the tree data structure having a risk of infection meeting or exceeding the predetermined threshold level of risk; and …… prioritizing devices in the subnets associated with the second subset of nodes so as to provide a barrier of subnets protected against the malware”.

Therefore, none of the prior arts of record independently or in-combination discloses all the
limitation of the independent claims 1, 5, and 6 as recited in the amended set of claims being examined.

Therefore, the independent claims are allowable over the prior arts of record. The dependent
claims being definite, further limiting, and fully enabled by the specification are also allowed by virtue
of their dependence on the independent claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434