PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/061,856
Filing Date: 13 Jun 2018
Appellant(s): Aruba Networkds, Inc.



__________________
Dan C. Hu
Registration No. 40,025
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed March 17, 2022.


(1) Grounds of Rejection to be reviewed on Appeal
Every ground of rejection set forth in the Office action dated 10/18/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

The following ground(s) of rejection are applicable to the appealed claims.
Claims 1, 5-6 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. U.S. Patent No. 7,640,586 B1 in view of Dujari U.S. Patent No. 6,199,107 B1.

Claims 2, 7, 10, 11 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. U.S. Patent No. 7,640,586 B1 in view of Dujari U.S. Patent No. 6,199,107 B1 and further in view of Marshall U.S. Patent Pub No. 2015/0288706 A1.

Claims 3-4, 8-9 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. U.S. Patent No. 7,640,586 B1 in view of Dujari U.S. Patent No. 6,199,107 B1 and further in view of Marshall U.S. Patent Pub No. 2015/0288706 A1 and further in view of Zahavi et al. U.S. Patent Pub. No. 2009/0094377 A1.
 Restatement of Rejection
Examiner provides the following restatement of the rejection of claim 1 for ease of reference. 
Johnson teaches downloading the entire resource using the byte serving request due to a change in the resource because of a malware. However, Johnson does not explicitly teach the modifying step of the byte serving request. Dujari was cited to teach that the byte serving request could be modified by explicitly changing the “If-Range” values to download portions or the entire of the resource. (further details are presented in the response to arguments below)
The rejection of claim 1 is copied here from the final office action mailed on 10/18/2021 pages 3-5. 

Claims 1, 5-6 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. U.S. Patent No. 7,640,586 B1 (hereinafter “Johnson”) in view of Dujari U.S. Patent No. 6,199,107 B1.

As per claim 1, Johnson teaches a method for preventing malware downloads (a method of scanning a requested file for a computer malware. Johnson, Col. 2 lines 4-5), comprising: 
determining, in response to a byte-serving request to download a portion of a resource, that the resource has previously been determined to comprise malware, (initiating a session with the external system to obtain those portions of the file that have not been transferred. The session may be a hypertext transfer protocol session. The hypertext transfer protocol session may use a byte range technique. Johnson, Col. 2 lines 59-63) (if range queries are successfully sent the invention must keep track of the entity tags reported by each individual HTTP transfer. In the event that the entity tag changes, the invention must discard all the old blocks of data and restart the scan for malware. Johnson, Col. 4 lines 38-42) (The scanner then inspects the file and indicates that it is either finished (and the file is clean or dirty). Johnson, Col.5 Lines.39-40 and Fig. 4 element 406);
In response to determining that the resource has previously been determined to comprise malware, modifying the byte-serving request (if the condition fails because the entity has been modified, then it is necessary to make a second request to obtain the entire current version of the file. The If-Range header provides an alternative that allows the second request to be avoided. Informally, its meaning is `if the entity is unchanged, send me the part(s) that I am missing; otherwise [if-range is modified], send me the entire new entity If-Range="If-Range" ":" (entity-tag|HTTP-date). Johnson, Col. 7 lines 24-31); and
requesting downloading all the resource using the modified byte-serving request (if the condition fails because the entity has been modified, then it is necessary to make a second request to obtain the entire current version of the file. The If-Range header provides an alternative that allows the second request to be avoided. Informally, its meaning is `if the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity. Johnson, Col. 7 lines 24-31).
Johnson does not explicitly teach to modifying the byte-serving request to request downloading all the resource.
 However, Dujari teaches modifying the byte-serving request to request downloading all the resource (the range request 86 includes the "GET" request indicating the URI of the content, an "Unless-Modified-Since" header specifying the timestamp that was previously provided by the server as the content's timestamp, the "If-Range" header specifying the ETag, and other headers that would be transmitted for a full request. In addition, the missing range is specified by a "Range" header, for example "Range: bytes=2000-" (open-ended) requested range, (2000-). Note that the range alternatively may have specified "bytes 2000-7999", since the full length was known, however not specifying an upper limit indicates that the request is seeking the range to the end of the content. The range request 86 is then transmitted to the server at step 918, and the process continues to step 1100 of FIG. 11 to await the response. Dujari. Col. 7 Lines. 28-42 ) (the server (or a proxy for the server) instead provides a full content (HTTP code 200) response, such as when the server detected from the "Unless-Modified-Since" timestamp and/or the "If-Range" ETag that the requested content had changed since the partial content was cached. Dujari, Col. 7 lines 56-61);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modifying the teaching of Johnson to modifying the byte-serving request to request downloading all the resource. One would be motivated to do so, to download the full content and scan it for identifying malware.


(2) Response to Argument
Argument A. 
1. Claims 1, 6.
–Appellant argues that the primary reference Johnson fails to teach the limitation “in response to determining that the resource has previously been determined to comprise malware, modifying the byte-serving request to request downloading all the resource”, since requesting the download of the entire current version of the file (the resource) in response to detecting a change in the file content, as performed in Johnson, is different from requesting the downloading of all of the resources “in response to determining that the resource has previously been determined to comprise malware” as recited in claim 1. Furthermore, the secondary reference Dujari fails to teach the limitation “modifying the byte-serving request to request downloading all the resource”. (APPEAL BRIEF, pages 5-8).

Response:
Examiner respectfully disagrees with appellant’s assertion. The broadest reasonable interpretation for the feature “in response to determining that the resource has previously been determined to comprise malware” in the light of the specification, is a determination that a resource was known as a malware before transferring that resource, or a portion of it, to the requestor of that resource (If the malware is detected due to a signature match, the rest of the packets from the server are dropped, thereby preventing the malware from entering the client 102. If malware is detected as a result of the hash lookup, the last packet of the file is dropped. As a result, the client 102 does not receive the complete file, thereby preventing the malware from infecting the client 102. Spec, para [0017]). The resources as defined by the specification could be any downloadable files (Resources may be files or other content, such as downloadable files and web pages. Spec, para [0010]).
The primary reference Johnson teaches determining a resource or a file as clean or malicious before delivering the file to the user, in response to a request initiated from the user to download the file (a user system 304 requests a file. Typically, the user operating user system 304 will browse to a Website and select a link that requests the transfer of a file from a Web server to user system 304 […] the request is intercepted by the scanning server and routed to computer malware scanning software 306 that will scan the file. Johnson, Col. 5 Lines 27-36) (The scanner then inspects the file and indicates that it is either finished (and the file is clean or dirty) or it needs additional data. If the scanner is not finished, the scanning server loops, requesting additional parts of the file and passing them to the scanner. Eventually, the scanner will indicate it is done, and the scanning server will either deliver the file to the user system, or deliver an error message [based on a previous determination of whether the file is malicious or not]. Johnson, Col. 5 Lines 39-45)
	The specification clarifies the process of determination as an in-stream scanning, where the scanning is performed in line, and each portion is compared with a list of known malware, [which is typically the process done by any scanning software] (In stream-scanning, the scanning is performed inline, where every packet is subjected to a signature match of known malware, and an incremental hash computation. Once the end-of-file is detected, the computed hash value is used for a hash lookup against a hash table containing list of known malware. If either a signature match is detected in the middle of the file, or the hash lookup succeeds, the resource is infected with malware. If the malware is detected due to a signature match, the rest of the packets from the server are dropped, thereby preventing the malware from entering the client 102. Spec, para [0017]). Also, the reference Johnson teaches downloading portions of the file and perform in stream scanning and whenever other portions are required, they will be immediately downloaded and scanned (there can be several parallel download operations. Download 110 of a requested file is begun. As soon as some minimum portion of the requested file has been downloaded, the downloaded portion is scanned 112A for the presence of any computer malwares. After the scan, the scanner will indicate either that the file is clean of malware, or that the scanner needs an additional portion of the file. Additional portions of the requested file are downloaded 114A and 114B immediately, in contrast to the prior art's having to wait. As portions 114A and 114B arrive, they are scanned for malwares 112B and 112C. Johnson, Col. 3 lines 35-45). 
Therefore, the primary reference Johnson using a byte serving request to download a portion of or the entire file as recited in the limitation when it is determined that the file has changed (initiating a session with the external system to obtain those portions of the file that have not been transferred. The session may be a hypertext transfer protocol session. The hypertext transfer protocol session may use a byte range technique. Johnson, Col. 2 lines 59-63) (if the condition fails because the entity has been modified [due to malware that is previously determined before transferring the file to the user], then it is necessary to make a second request to obtain the entire current version of the file. The If-Range header provides an alternative that allows the second request to be avoided. Informally, its meaning is `if the entity is unchanged, send me the part(s) that I am missing; otherwise [if entity is changed], send me the entire new entity If-Range="If-Range" ":" (entity-tag|HTTP-date). Johnson, Col. 7 lines 24-31), and a determination will be made if the file has previously contained a malware or not, before the delivery of the file to the requestor, (The entity tag is guaranteed to change if the content of the file changes. So, if range queries are successfully sent the invention must keep track of the entity tags reported by each individual HTTP transfer. In the event that the entity tag changes, the invention must discard all the old blocks of data and restart the scan for malware [which clearly suggest that changing in a content of the file is due to a detected malware]. Johnson, Col. 4 lines 37-42) (The scanner then inspects the file and indicates that it is either finished (and the file is clean or dirty). Johnson, Col.5 Lines.39-40 and Fig. 4 element 406)( the scan performed by scanning software 306 is completed. If the scan indicates that there are no malwares present in the file, delivery of the file to user system 304 is started [at the time of delivery a determination if the file has malware or not is previously made]. Johnson, Col. 6 lines 19-22).
Based on that, Johnson clearly teach the limitation of “determining that the resource has previously been determined to comprise a malware” and using “the byte-serving request to request downloading all the resource” before sending the resource to the user, in response to the “determining” step.
Moving next to appellant’s argument regarding the limitation “modifying the byte-serving request to request downloading all the resource” in response to the “determination process” clarified above.
The specification stated that modifying the byte serving is done by changing the value of the If-Range field to mismatch the current ETag, which will result in the server downloading the complete resource (if the If-Range value is the same as the current Etag for the resource, the server 108 enables byte-serving features to send the remainder of the content of the resource to the client. However, in implementations of the claimed subject matter, the UTM 112 modifies the HTTP GET request by changing the value of the If-Range field. On receipt of this new value in the HTTP GET, the server 108 detects a mismatch between the current ETag and the value received in the if-Range field. This results in the server 108 disabling the byte serving functionality, thereby sending the complete resource again. Once the UTM 112 processes the complete file again, the UTM 112 detects the malware again, thus preventing infection of the client. Spec, para [0030]).
The secondary reference Dujari discloses modifying the If-Range field with different values, and using the byte-serving request to downloading portion of or all the resource based on the modified byte-serving request (the range request 86 includes the "GET" request indicating the URI of the content, an "Unless-Modified-Since" header specifying the timestamp that was previously provided by the server as the content's timestamp, the "If-Range" header specifying the ETag, and other headers that would be transmitted for a full request. In addition, the missing range is specified by a "Range" header, for example "Range: bytes=2000-" (open-ended) requested range, (2000-). Note that the range alternatively may have specified "bytes 2000-7999", since the full length was known, however not specifying an upper limit indicates that the request is seeking the range to the end of the content [modifying the byte-serving request by changing If-Range value]. The range request 86 is then transmitted to the server at step 918, and the process continues to step 1100 of FIG. 11 to await the response. Dujari. Col. 7 Lines. 28-42) (the server (or a proxy for the server) instead provides a full content (HTTP code 200) response, such as when the server detected from the "Unless-Modified-Since" timestamp and/or the "If-Range" ETag that the requested content had changed since the partial content was cached. Dujari, Col. 7 lines 56-61)
Therefore, the secondary reference Dujari clearly teaches modifying or changing If-Range/ ETag in the GET range request to download portions of or the entire file. Using this feature from Dujari to modify the teaching of Johnson will render the limitation “in response to determining that the resource has previously been determined to comprise malware, modifying the byte-serving request to request downloading all the resource” obvious.

The Examiner respectfully submits that the rejection of claims 1 and 6 in view of the combination of Johnson in view of Dujari should be maintained for at least the above reasons.

2. Claims 12, 5

– Appellant argues that Johnson and Dujari fail to teach the following subject matter of claim 12 “in response to determining that the resource has previously been determined to comprise malware, modify the byte-serving request to request downloading all the resource by modifying an If-Range value of a packet header such that, the If-Range value is different than an Etag value for the resource” where the modified byte-serving request is used to download all the resource”, for similar reasons stated in the above argument. Furthermore, the Appellant argues that the cited passage of Johnson (column 7, lines 24-31) fails to teach the feature “modifying an If-Range value of a packet header such that, the If-Range value is different than an Etag value for the resource”. (APPEAL BRIEF, pages 8-10).

Response. 
Examiner respectfully disagrees with appellant’s assertion. As discussed above, Dujari discloses the act of modifying.  For example, Dujari (column 7, lines 28-42) discloses modifying the GET request at a proxy server.  The further requirement that “the If-Range value is different than an Etag value for the resource” is always true because the convention is that If-Range specifies a byte range to be downloaded, whereas the entity-tag specifies an identifier to each resource.  
This can be seen, for example, in the specification paragraph 6:
“Range: bytes-51448- If-Range: "ca33-47ac67b902480"
….
ETag: "ca33-47ac67b902480"”

Different If-Range and Etag values are also shown in Johnson and Dujari:
Johnson discloses this feature, and teaches that the If-Range header provides an alternative that allows the request for the missing portions of the file to be avoided when the If-Range value is different than the Etag value, and request the entire file instead (if the condition fails because the entity has been modified then it is necessary to make a second request to obtain the entire current version of the file. The If-Range header provides an alternative that allows the second request [which is to send the missing part when If-Range equal the Etag] to be avoided. Informally, its meaning is `if the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity [when If-Range is different from Etag] If-Range="If-Range" ":" (entity-tag|HTTP-date). Johnson, Col. 7 lines 24-31).
In a similar way as disclosed in the application, the secondary reference Dujari teaches this feature, “modify the byte-serving request to request downloading all the resource by modifying an If-Range value of a packet header such that, the If-Range value is different than an Etag value for the resource” (the range request 86 includes the "GET" request indicating the URI of the content, an "Unless-Modified-Since" header specifying the timestamp that was previously provided by the server as the content's timestamp, the "If-Range" header specifying the ETag, and other headers that would be transmitted for a full request. In addition, the missing range is specificied by a "Range" header, for example "Range: bytes=2000-" (open-ended) requested range, (2000-). Note that the range alternatively may have specified "bytes 2000-7999", since the full length was known, however not specifying an upper limit indicates that the request is seeking the range to the end of the content. The range request 86 is then transmitted to the server at step 918, and the process continues to step 1100 of FIG. 11 to await the response. Dujari. Col. 7 Lines. 28-42 ) (the server (or a proxy for the server) instead provides a full content (HTTP code 200) response, such as when the server detected from the "Unless-Modified-Since" timestamp and/or the "If-Range" ETag that the requested content had changed since the partial content was cached. Dujari, Col. 7 lines 56-61);
Therefore, the feature “the If-Range value is different than an Etag value for the resource” is shown in both references, Johnson and Dujari.
Johnson and Dujari teach the limitation “in response to determining that the resource has previously been determined to comprise malware, modify the byte-serving request to request downloading all the resource …” at least the reasons discussed above in Argument A. for Claims 1, 6. 

The Examiner respectfully submits that the rejection of claims 12 and 5 in view of the combination of Johnson in view of Dujari should be maintained for at least the above reasons.


Argument B. 
1. Claims 2, 13.
- Appellant argues that the third reference Marshall, that was used to reject dependent claims 2 and 13, does not remedy the deficiencies of Johnson and Dujari with respect to the subject matter of the base claims as explained above. (APPEAL BRIEF, page 10)

Response. 
Examiner respectfully submit that the combination of Johnson, Dujari and Marshall teaches the limitations of claims 2 and 13 for at least the reasons discussed above in Argument A, for Claims 1, 6.” The Examiner respectfully submits that the rejection of claims 2 and 13 in view of the combination of Johnson in view of Dujari and Marshall should be maintained for at least the above reasons.


2. Claims 7, 11. 
– Appellant argues that Johnson, Dujari and Marshall fail to teach the following subject matter of claim 7 “in response to determining that the resource has previously been determined to comprise malware, modify the byte-serving request to request downloading all the resource”, for reasons similar to those stated above in the previous argument. (APPEAL BRIEF, pages 10-11).

Response. 
Examiner respectfully submit that the combination of Johnson, Dujari and Marshall teaches the limitations of claims 7 and 11 for at least the reasons discussed above in Argument A, for Claims 1,6. The Examiner respectfully submits that the rejection of claims 7 and 11 in view of the combination of Johnson in view of Dujari and Marshall should be maintained for at least the above reasons.


3. Claim 10.
– Appellant argues that Johnson, Dujari and Marshall fail to teach the following subject matter of claim 10 “wherein the byte-serving request is modified to request downloading all the resource by modifying an If-Range value of a packet header such that, the If-Range value is different than an Etag value for the resource” for reasons similar to those stated above with respect to claim 12. (APPEAL BRIEF, pages 11-12).

Response. 
Examiner respectfully submit that the combination of Johnson, Dujari and Marshall teaches the limitations of claim 10 for at least the reasons discussed above in Argument A, for Claims 12, 5. The Examiner respectfully submits that the rejection of claim 10 in view of the combination of Johnson in view of Dujari should be maintained for at least the above reasons.


Argument C. 
1. Claims 3-4, 8-9, 14-15.
- Appellant argues that the references Marshall and Zahavi, that were used in rejecting dependent claims 3-4, 8-9 and 14-15, do not remedy the deficiencies of Johnson and Dujari with respect to the subject matter of the base claims as explained above. (APPEAL BRIEF, page 12).

Response. 
Examiner respectfully submit that the combination of Johnson and Dujari teaches the limitations of claims 1, 5, 6, and 12 for at least the reasons discussed above in Argument A. Examiner further respectfully submits that the combination of Johnson, Dujari, Marshall and Zahavi teaches the further limitations of claims 3-4, 8-9 and 14-15.
The Examiner respectfully submits that the rejection of claims 3-4, 8-9 and 14-15 in view of the combination of Johnson in view of Dujari, Marshall and Zahavi should be maintained.

	

For the above reasons, it is believed that the rejections should be sustained. 


Respectfully Submitted.

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492                                                                                                                                                                                                        
Conferees:
/MICHAEL W CHAO/Primary Examiner, Art Unit 2492      

                                                                                                                                                                                                  /SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492                                                                                                                                                                                                        


Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.