Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
1.	This action is responsive to communication filed on: 16 March 2022 with acknowledgement of an original application filed on 16 November2020 and that this application is a continuation of 15/923,581 now patent 10,875,590 with claims priority to a provisional application as well as a foreign application filed 29 September 2017.
2.	Claims 1-21 are currently pending.  Claims 1, 8, and 15, are independent claims. Claim 17 has been amended.  
Response to Arguments

3.	Applicant's arguments filed 16 March 2022 have been fully considered however they are not persuasive where noted below.  The Examiner notes a terminal disclaimer has not been filed therefore the Double Patenting Rejection remains in the below rejection.  The objection to claim 17 is removed due to amendment.
I)	In response to Applicant’s argument beginning on page 8, “However, Ranum is entirely silent in regards to adding tags. Thus, Ranum fails to disclose at least “…when at least one sign of suspicious activity is found, extracting, by the processor, a second tag from the database of suspicious activities and adding the second tag to an object database”.
	The Examiner disagrees with argument.  Ranum states in paragraph 18, “remotely scanning a host in the network to enumerate one or more processes running on the remotely scanned host and compute unique signatures associated with the one or more enumerated processes. In one implementation, the method may then communicate the unique signatures associated with the enumerated processes running on the remotely scanned host to a cloud database, which may aggregate signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued. In one implementation, the method may further comprising receiving a message from the cloud database that indicates whether the unique signatures associated with the enumerated processes running on the remotely scanned host match any signatures associated with the known virus or malware samples that the multiple different anti-virus vendors have catalogued and generating a report to indicate that the remotely scanned host has a malware infection if the message received from the cloud database indicates that the unique signature associated with at least one enumerated process running on the remotely scanned host matches the signature associated with at least one known virus or malware sample”.  The Examiner notes communicating the unique signatures associated with enumerated process to a database as well as generating a report are interpreted equivalent to “adding the second tag to an object database”.  The strategic anti-malware monitoring uses database to compare known virus or malware samples that vendors have cataloged (i.e. tagged) to determine of a host has a malware infection. It is clear from the Ranum disclosure the signatures and reports generated and catalogued are equivalent to first, second, and multiple tags. Therefore, the Applicant’s arguments are not persuasive.
II)	In response to applicant’s argument beginning on page 9, “In regards to the rejection of claims 3, 10 and 17, the Examiner conceded that Glokas and Ranum fail to obviate claims 3, 10, and 17…Ha also fails to disclose “…searching, by the processor, for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag”.
The Examiner disagrees with argument.  As indicated above the combination of Glokas and Ranum clearly teach/suggests searching, by the processor, for signs of suspicious activity in a database of suspicious activities …and adding a second tag see Ranum paragraphs 17-22.  The Glokas reference was utilized to more explicitly teach performing memory dumps to analyze whether content such as a file contains malicious code.  Therefore,the Applicant’s argument are not persuasive.
Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer to - http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
 5.	1-21 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of application 15/923,581 now patent 10,873,581.
Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/features of claimed method for detecting computer attacks with the use of tags exist in the patented application in similar or different names, essentially performing the same tasks.  The only difference is that the present application has presented the claim limitations in a different order.  As shown below limitations from claim 1 of the patented application are now in independent claim 1 the main difference is that the application contains less details than the patented claims.  Note the claim limitation in the patented claim 1that are not present in the application are underlined below.  
PATENT 10,873,590
PRESENT APPLICATION
CLAIM 1
CLAIM 1
A method for detecting computer attacks comprising: 

gathering, using a hardware processor, information on an object in a computer in a network; 

saving a security notification with the object in an object database in the network; 

searching for the object in a threat database in the network; 

adding one or more tags to the object when the object is found in the threat database and adding a correspondence between a record in the object database and the threat database; 

determining that a computer attack has occurred when the one or more tags correspond to one or more signatures in a database of computer attacks, wherein a signature comprises: at least one record about the object, at least one record about the security notification, and at least one tag of the object; 

searching, in a suspicious activity database, for suspicious activity based on the one or more tags; and when a sign of the suspicious activity is found in the suspicious activity database, 


adding a second tag to the security notification, the second tag being obtained from the suspicious activity database and being indicative of a presence of at least one suspicious activity.
A method of adding tags for use in detecting computer attacks, the method comprising: 

receiving, by a processor, a security notification; 


extracting, by the processor, an object from the security notification; 

searching, by the processor, for the extracted object in a threat database; 

adding, by the processor, a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database; 










searching, by the processor, for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag; and when at least one sign of suspicious activity is found, 

extracting, by the processor, a second tag from the database of suspicious activities and adding the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags.


Claim Rejections – 35 USC § 103
6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such   that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1-2, 4-9, 11-16, and 18-21, are rejected under 35 U.S.C. 103 as being unpatentable over Glokas U.S. Patent Application Publication No. 2015/0128274 (hereinafter ‘274) in view of Ranum et al. U.S. Patent Application Publication No. 2014/0013434 (hereinafter ‘434).
As to independent claim 1, “1. A method of adding tags for use in detecting computer attacks, the method comprising: receiving, by a processor, a security notification” is taught in ‘274 Abstract, paragraphs 4, and 12, note the network security monitor (i.e. hardware processor) gathers log (i.e. information of an object in a network), a threat indicator (is a tag)
“extracting, by the processor, an object from the security notification” is shown in ‘274 paragraphs 86, 91, note the logs received are stored and indexed and reports are provided;
“searching, by the processor, for the extracted object in a threat database; adding, by the processor, a first tag corresponding to the extracted object in the threat database only when the extracted object is found in the threat database” is shown in ‘274 paragraphs 113, and 118-121, note the log correlation engine (searches the database of indexed log against a threat indicator list) /the one or more tags are interpreted equivalent to stored results and reports / likewise the reports can be generated (hourly, daily, weekly, monthly) i.e. this is interpreted equivalent to “one or more tags”;
Although ‘274 teaches signatures can refer to attack patterns that are used by the tool are stored in a threat indicator list in paragraphs 105-109 because the exact phrase ‘signatures in a database’ is not explicitly used / it could be argued the following is not explicitly taught in ‘274: 
“searching, by the processor, for signs of suspicious activity in a database of suspicious activities based on the received security notification and the added first tag; and when at least one sign of suspicious activity is found, extracting, by the processor, a second tag from the database of suspicious activities and adding the second tag to an object database, wherein the object database is used for identifying signature of targeted attacks based on security notifications, objects, first tags and second tags” however ‘434 teaches a system and method that performs anti-malware monitoring that compares a generated signature to known virus or malware signatures in the Abstract, paragraphs and 2, 10, 17-22, 48, and 58-60.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a network security monitoring system that identifies unknown attacks taught in ‘274 to include a means to utilize signatures of known attacks to determine an attack.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize various mechanisms and techniques to provide strategic anti-malware monitoring in a network, see ‘434 paragraphs 4-10.
As to dependent claim 2, “The method of claim 1, wherein the signatures of targeted attacks depend on information obtained during penetration tests conducted to assess vulnerabilities in protocols used for privileged access” is taught in ‘434 paragraphs 44, 75-76 and 81.
As to dependent claim 4, “The method of claim 3, wherein the action which resulted in the identification of the signatures of the targeted attacks comprises at least one of: a launching of a PowerShell interpreter from an application, an obfuscation of PowerShell parameters, invoking an HTTP request from the PowerShell interpreter, and a modification, by PowerShell interpreter, of register keys for performing an autorun” is shown in ‘274 paragraphs 94-96.
As to dependent claim 5, “The method of claim 4, wherein the action which resulted in the identification of the signatures of the targeted attacks further comprises: a failure to find a match between a name of the file and a hash of the file registered in the autorun, while simultaneously finding a match between a hash of the file and a hash of an application TeamViewer” is disclosed in ‘434 paragraphs 45-51
As to dependent claim 6, “The method of claim 1, wherein the identification of the signatures of targeted attacks is performed by searching in a database of computer attacks” is taught in ‘274 Abstract, paragraphs 2, 10, 17-22, 48, and 58-60.
As to dependent claim 7, “The method of claim 1, wherein the extracted object is found in the threat database when the object is detected on a computer that corresponds to a predefined indicator of compromise” is shown in in ‘274 paragraphs 86, 113, and 117-118.
As to independent claim 8, this claim is directed to a system executing the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 9 and 11-14, these claims contain substantially similar subject matter to claims 2 and 4-7; therefore, they are rejected along similar rationale.
As to independent claim 15, this claim is directed to a non-transitory computer readable medium executing the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 16 and 18-21, these claims contain substantially similar subject matter to claims 2 and 4-7; therefore, they are rejected along similar rationale.
8.	Claims 3, 10, and 17, are rejected under 35 U.S.C. 103 as being unpatentable over Glokas U.S. Patent Application Publication No. 2015/0128274 (hereinafter ‘274) in view of Ranum et al. U.S. Patent Application Publication No. 2014/0013434 (hereinafter ‘434) in further view of Ha et al. U.S. Patent No. 10,089,461 (hereinafter ‘461).
As to dependent claim 3, the following is not explicitly taught in ‘274 and ‘424: “The method of claim 1, further comprising: determining, by the processor, whether or not an action which resulted in the identification of the signatures of the targeted attacks is an allowed action; and when the action which resulted in the identification of the signatures of the targeted attacks is not allowed, obtaining, by the processor, at least one of: log records of computer protection modules, memory dumps, and disk dumps of the computer associated with the received security notification” however ‘461 teaches memory dumps may be utilized to analyze whether content such as a file contain malicious code and perform signature generation on the detected threat (i.e. logging steps of detecting the attack) in col. 6, line 7-55.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a network security monitoring system that identifies unknown attacks taught in ‘274 and ‘434 to include a means to utilize a memory dump.  One of ordinary skill in the art would have been motivated to perform such a modification to improvements towards efficiently thwarting malware detection of monitory systems are needed, see ‘461 col. 1, line 11 through col. 2, line 29.
As to dependent claims 10 and 17, these claims contain substantially similar subject matter to claim 3; therefore they are rejected along similar rationale.
Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
9.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ellen Tran whose telephone number is (571) 272-3842.  The examiner can normally be reached from 7:30 am to 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        8 June 2022