DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 11/23/2020.
Claims 1-10 and 12-21 are allowed.  Claims 11 and 22 have been canceled.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/22/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. TW109137275, filed on 10/27/2020.

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with applicant’s representative James Long (Reg. No. 62006)on 06/08/2022.

The applicant has been amended as followed:
AMENDMENTS TO THE CLAIMS
This listing of claims will replace all prior versions and listings of claims in the application:  
1.	(Currently amended) An abnormal packet detection apparatus, comprising:
a storage, being configured to store a whitelist corresponding to a protocol port, wherein the whitelist comprises at least one legal packet record, each of the at least one legal packet record comprises a legal packet length, a legal source address, and a legal variation position set, and each of the at least one legal packet record corresponds to a reference packet;
a transceiving interface, being configured to receive a first to-be-analyzed packet of the protocol port; and
a processor, being electrically connected to the storage and the transceiving interface, and being configured to determine that a current packet length and a current source address of the first to-be-analyzed packet are respectively the same as the legal packet length and the legal source address comprised in a reference packet record among the at least one legal packet record, determine a current variation position of the first to-be-analyzed packet by comparing the first to-be-analyzed packet with the reference packet corresponding to the reference packet record, and generate a first detection result by comparing the current variation position with the legal variation position set comprised in the reference packet record,
wherein the whitelist comprises a plurality of legal packet records, the storage further stores a plurality of historical packets of the protocol port, each of the historical packets has a historical packet length and records a historical source address, the processor further generates a piece of statistical data individually for a plurality of combinations formed by different historical packet lengths and different historical source addresses, each of the combinations corresponds to a subset of the historical packets, each of the pieces of statistical data comprises the historical packet length, the historical source address, a count, at least one historical variation position, and at least one historical occurrence value of each of the at least one historical variation position related to the historical packets comprised in the subset, and the processor further generates one of the legal packet records according to each of the pieces of statistical data.

2.	(Original) The abnormal packet detection apparatus of Claim 1, wherein the legal variation position set of each of the at least one legal packet record comprises at least one byte position,
wherein the first detection result is that the current variation position is not one of the at least one byte position comprised in the legal variation position set included in the reference packet record, and the transceiving interface further transmits an alarm signal.

3.	(Original) The abnormal packet detection apparatus of Claim 1, wherein the legal variation position set of each of the at least one legal packet record comprises at least one byte position, and each of the at least one byte position corresponds to a legal occurrence value set,
wherein the first detection result is that the current variation position is one of the at least one byte position comprised in the legal variation position set included in the reference packet record, the processor further finds out a reference occurrence value set from the at least one legal occurrence value set according to the current variation position, and the processor further generates a second detection result by comparing a current occurrence value of the first to-be-analyzed packet at the current variation position with the reference occurrence value set.

4.	(Original) The abnormal packet detection apparatus of Claim 3, wherein the reference occurrence value set comprises a plurality of legal occurrence values, the second detection result is that the current occurrence value is not one of the legal occurrence values, and the transceiving interface further transmits an alarm signal.

5.	(Original) The abnormal packet detection apparatus of Claim 1, wherein the legal variation position set of the reference packet record comprises at least one byte position, each of the at least one byte position corresponds to a legal occurrence value set, a specific byte position in the at least one byte position corresponds to a specific occurrence value set in the at least one legal occurrence value set, and a plurality of legal occurrence values comprised in the specific occurrence value set form an occurrence pattern,
wherein the transceiving interface further receives a plurality of second to-be-analyzed packets, the processor further determines that a current packet length and a current source address of each of the second to-be-analyzed packets are respectively the same as the legal packet length and the legal source address comprised in the reference packet record, and the processor further generates a second detection result by comparing a plurality of current occurrence values of the second to-be-analyzed packets and the first to-be-analyzed packet at the specific byte position with the occurrence pattern to generate a second detection result.

6.	(Original) The abnormal packet detection apparatus of Claim 1, wherein the whitelist comprises a plurality of legal packet records, the storage further stores a plurality of historical packets of the protocol port, each of the historical packets has a historical packet length and records a historical source address, the processor further generates a piece of statistical data for the historical packets with different historical packet lengths, each of the pieces of statistical data comprises the corresponding historical packet length, one of the historical source addresses, a count related to the corresponding historical packet length, at least one historical variation position and at least one historical occurrence value of each of the at least one historical variation position, and the processor further generates one of the legal packet records according to each of the pieces of statistical data.

7.	(Original) The abnormal packet detection apparatus of Claim 6, wherein the processor determines that a specific byte position occurs at the at least one historical variation position of each of the pieces of statistical data, and the processor further removes the specific byte position from the at least one historical variation position of each of the pieces of statistical data.

8.	(Original) The abnormal packet detection apparatus of Claim 6, wherein the processor further finds out a piece of specific statistical data from the pieces of statistical data, the processor further determines that a variation rate of a specific byte position in the at least one historical variation position comprised in the specific statistical data is higher than a threshold value, and the processor further removes the specific byte position from the at least one historical variation position of the specific statistical data.

9.	(Original) The abnormal packet detection apparatus of Claim 6, wherein the processor further determines, from the pieces of statistical data, that a packet length variation of a specific source address among the historical source addresses is smaller than a threshold value, and the processor further determines that the specific source address corresponds to a master device.

10.	(Currently amended) The abnormal packet detection apparatus of Claim 1, wherein 
wherein the processor further identifies a target packet length from the historical packet lengths according to the maximum of the counts, the processor further generates a piece of second statistical data individually for at least one combination formed by the target packet length and different historical source addresses, each of the at least one combination corresponds to a subset of the historical packets, each of the at least one piece of second statistical data comprises the target packet length, one of the historical source addresses, a count related to the historical packets comprised in the subset, at least one second historical variation position, and at least one second historical occurrence value of each of the at least one second historical variation position, and the processor further generates the at least one legal packet record according to the at least one piece of second statistical data.

11.	(Canceled).

12.	(Original) An abnormal packet detection method, being adapted for use in an electronic computing apparatus, the electronic computing apparatus storing a whitelist corresponding to a protocol port, the whitelist comprising at least one legal packet record, each of the at least one legal packet record comprising a legal packet length, a legal source address, and a legal variation position set, each of the at least one legal packet record corresponding to a reference packet, and the abnormal packet detection method comprising the following steps:
receiving a first to-be-analyzed packet of the protocol port;
determining that a current packet length and a current source address of the first to-be-analyzed packet are respectively the same as the legal packet length and the legal source address comprised in a reference packet record among the at least one legal packet record;
determining a current variation position of the first to-be-analyzed packet by comparing the first to-be-analyzed packet with the reference packet corresponding to the reference packet record; and
generating a first detection result by comparing the current variation position with the legal variation position set comprised in the reference packet record,
wherein the whitelist comprises a plurality of legal packet records, the electronic computing apparatus further stores a plurality of historical packets of the protocol port, each of the historical packets has a historical packet length and records a historical source address, and the abnormal packet detection method further comprises the following steps:
generating a piece of statistical data individually for a plurality of combinations formed by different historical packet lengths and different historical source addresses, wherein each of the combinations corresponds to a subset of the historical packets, each of the pieces of statistical data comprises the historical packet length, the historical source address, a count, at least one historical variation position, and at least one historical occurrence value of each of the at least one historical variation position related to the historical packets comprised in the subset; and
generating one of the legal packet records according to each of the pieces of statistical data.

13.	(Original) The abnormal packet detection method of Claim 12, wherein the legal variation position set of each of the at least one legal packet record comprises at least one byte position, the first detection result is that the current variation position is not one of the at least one byte position comprised in the legal variation position set included in the reference packet record, and the abnormal packet detection method further comprises the following step:
transmitting an alarm signal.

14.	(Original) The abnormal packet detection method of Claim 12, wherein the legal variation position set of each of the at least one legal packet record comprises at least one byte position, each of the at least one byte position corresponds to a legal occurrence value set, the first detection result is that the current variation position is one of the at least one byte position comprised in the legal variation position set included in the reference packet record, and the abnormal packet detection method further comprises the following steps:
finding out a reference occurrence value set from the at least one legal occurrence value set according to the current variation position; and
generating a second detection result by comparing a current occurrence value of the first to-be-analyzed packet at the current variation position with the reference occurrence value set.

15.	(Original) The abnormal packet detection method of Claim 14, wherein the reference occurrence value set comprises a plurality of legal occurrence values, the second detection result is that the current occurrence value is not one of the legal occurrence values, and the abnormal packet detection method further comprises the following step:
transmitting an alarm signal.

16.	(Original) The abnormal packet detection method of Claim 12, wherein the legal variation position set of the reference packet record comprises at least one byte position, each of the at least one byte position corresponds to a legal occurrence value set, a specific byte position in the at least one byte position corresponds to a specific occurrence value set in the at least one legal occurrence value set, a plurality of legal occurrence values comprised in the specific occurrence value set form an occurrence pattern, and the abnormal packet detection method further comprises the following steps:
receiving a plurality of second to-be-analyzed packets;
determining that a current packet length and a current source address of each of the second to-be-analyzed packets are respectively the same as the legal packet length and the legal source address comprised in the reference packet record; and
generating a second detection result by comparing a plurality of current occurrence values of the second to-be-analyzed packets and the first to-be-analyzed packet at the specific byte position with the occurrence pattern.

17.	(Original) The abnormal packet detection method of Claim 12, wherein the whitelist comprises a plurality of legal packet records, the electronic computing apparatus further stores a plurality of historical packets of the protocol port, each of the historical packets has a historical packet length and records a historical source address, and the abnormal packet detection method further comprises the following steps:
generating a piece of statistical data for the historical packets with different historical packet lengths, wherein each of the pieces of statistical data comprises the corresponding historical packet length, one of the historical source addresses, a count related to the corresponding historical packet length, at least one historical variation position, and at least one historical occurrence value of each of the at least one historical variation position; and
generating one of the legal packet records according to each of the pieces of statistical data.

18.	(Original) The abnormal packet detection method of Claim 17, further comprising the following steps:
determining that a specific byte position occurs at the at least one historical variation position of each of the pieces of statistical data; and
removing the specific byte position from the at least one historical variation position of each of the pieces of statistical data.

19.	(Original) The abnormal packet detection method of Claim 17, further comprising the following steps:
finding out a piece of specific statistical data from the pieces of statistical data;
determining that a variation rate of a specific byte position in the at least one historical variation position comprised in the specific statistical data is higher than a threshold value; and
removing the specific byte position from the at least one historical variation position of the specific statistical data.

20.	(Original) The abnormal packet detection method of Claim 17, further comprising the following steps:
determining, from the pieces of statistical data, that a packet length variation of a specific source address among the historical source addresses is smaller than a threshold value; and
determining that the specific source address corresponds to a master device.

21.	(Currently amended) The abnormal packet detection method of Claim 12, comprising the following steps:
generating a piece of first statistical data for the historical packets with different historical packet lengths, wherein each of the pieces of first statistical data comprises the corresponding historical packet length, at least one of the historical source addresses, a count related to the corresponding historical packet length, at least one first historical variation position, and at least one first historical occurrence value of each of the at least one first historical variation position;
identifying a target packet length from the historical packet lengths according to the maximum of the counts;
generating a piece of second statistical data individually for at least one combination formed by the target packet length and different historical source addresses, wherein each of the at least one combination corresponds to a subset of the historical packets, each of the at least one piece of second statistical data comprises the target packet length, one of the historical source addresses, a count related to the historical packets comprised in the subset, at least one second historical variation position, and at least one second historical occurrence value of each of the at least one second historical variation position; and
generating the at least one legal packet record according to the at least one piece of second statistical data.

22.	(Canceled).




Reason for Allowance
The following is an examiner’s statement of reasons for allowance:
whitelist comprises at least one legal packet record, each of the at least one legal packet record comprises a legal packet length, a legal source address, and a legal variation position set is stored in a storage and a plurality of legal packet records, the storage further stores a plurality of historical packets of the protocol port, each of the historical packets has a historical packet length and records a historical source address, the processor further generates a piece of statistical data individually for a plurality of combinations formed by different historical packet lengths and different historical source addresses, each of the combinations corresponds to a subset of the historical packets, each of the pieces of statistical data comprises the historical packet length, the historical source address, a count, at least one historical variation position, and at least one historical occurrence value of each of the at least one historical variation position related to the historical packets comprised in the subset, and the processor further generates one of the legal packet records according to each of the pieces of statistical data.  Determines that a current packet length and a current source address of a first to-be-analyzed packet are respectively the same as the legal packet length and the legal source address comprised in a reference packet record among the at least one legal packet record, determine a current variation position of the first to-be-analyzed packet by comparing the first to-be-analyzed packet with the reference packet corresponding to the reference packet record, and generate a first detection result by comparing the current variation position with the legal variation position set comprised in the reference packet record.  .
The prior art of Miron  (US 20190190930 A1) teaches a computerized device for detecting automatic and manual malware and other threats, such as malware, malicious intrusions, exploits, and attacks, and other harmful software, both potential and actual, in order to rapidly and effectively detect them.  Analyzing the packets of the Packet Capture files against rules and policies. These “absolute” rules include, for example, those for packet length, certain sources/destinations, packet data rules, such as having used a specific port. For example, strings (e.g., fixed strings) are compared, integers (e.g., integer numbers), length of packet data, regular expressions, floats, IP addresses, requests, including GET requests and POST requests, are analyzed, so that a value is assigned, in the form of an integer of zero or more.
Another art of Manadhata (US 20170163670 A1) teaches that by using the whitelist to filter benign domains, and a blacklist to identify known threats, the number of packets stored for logging may be reduced to a fraction of their original numbers, substantially reducing storage space required to store DNS packets over time.  If a packet does not match a whitelist or blacklist entry, the appliance may not be able to quickly determine if the packet is benign or if the packet is associated with a security event. Consequently, these packets may be logged for later analysis. This analysis may be performed when a security event is detected. Analysis may also be performed to monitor performance of a system or application.
Another art of Singh (US 20110131655 A1) teaches that when a new signature is written into the DT1 CAM, overwriting a valid old entry, the fields of the old entry will be compared to the white list threshold registers and if the thresholds are met, a report for the signature is sent to the director to potentially white list the entry. If on the other hand, the old entry does not meet the minimum lifespan criteria, the head pointer will be incremented and the new signature will not be added.
The prior of record does not disclose the limitations above in combination with the remaining elements in the independent claims.
The allowable subject matter is now reflected in applicant’s independent claims 1 and 12. Dependent claims from allowed claims and therefore are also allowed.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANH NGUYEN/Primary Examiner, Art Unit 2456