DETAILED ACTION
This communication is responsive to the application # 16/567,299 filed on September 11, 2019. Claims 1-20 are pending and are directed toward MALICIOUS VIRTUAL MACHINE DETECTION.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Mishra et al. (Out-VM Monitoring for Malicious Network Packet Detection in Cloud, IEEE 2017, 10 pages), hereinafter referred to as Mishra.
As per claim 1, Mishra teaches a computer-implemented method, comprising:
passing network traffic from a set of virtual machines to a set of network resources, the network traffic passing through a network monitor (a robust and learning based security approach (MNPD) for detecting malicious network traffic in cloud environment. CNS is the primary component which is responsible for routing of cloud network packets from VM to VM, VM to outside world and vice versa. Hence, in the proposed security architecture, one instance of MNPD is deployed at the CNS to monitor the communication of VMs at the network level. Mishra, page 9);
monitoring, by the network monitor, a set of traffic characteristics for the network traffic (Out-VM traffic monitoring is required to isolate the traffic monitoring from monitored machine. Signature matching approaches fail to detect the variants of known attack patterns. Hence, an efficient detection mechanism is required to capture and learn the actual behavior of attacks. It should be capable to detect the unknown  attack variants based on their similarity with learned behavior. Mishra, page 3);
identifying a change in a traffic characteristic of the set of traffic characteristics, the change resulting in a modified traffic characteristic (At the virtualization layer, MNPD provides a traffic validation module (TrVal() to ensure that tenant VMs are generating traffic from a correct Source IP and MAC address. It takes the input from BeCap() module and redirects the passed packets to BeEng() module for detailed analysis as attacks can be generated from a legitimate source address. Algorithm 1 shows how TrVal() validates the traffic from outside the VM at Cloud Compute Server (CCoS). Mishra, page 5);
identifying a first virtual machine of the set of virtual machines, the first virtual machine associated with the modified traffic characteristic (Hence, MNPD captures the packets at VNI itself and detects the spoofing attack by TrVal() module. Each VNI (vif.DomID.DevID) is associated with a DomID as discussed in section III. We can identify which VM is generating the traffic originated from VNI under monitoring. Mishra, page 5); and
generating an alert identifying the first virtual machine and the modified traffic characteristic (Alert and Logging (Alert_Log()) module generates the alerts and logs if suspicious activity is detected by behavior analysis module. The logs are shared with cloud administrator. Only legitimate packets are allowed to pass from physical interface of CCoS and forwarded to other servers (CNS/other CCoS). TrVal() ensures that virtual traffic reaching to CNS or other CCoS, has correct virual IP/virtual MAC. Mishra, page 4).
As per claim 2, Mishra teaches the method of claim 1, further comprising:
generating a virtual machine for inclusion in the set of virtual machines (This is achieved by installing DHCP service (considered dnsmasq in our implementation) at the Dom0 and configuring it for each VM network settings. Mishra, page 5);
generating an identification for the virtual machine (The configuration file is located at following path: /etc/dnsmasq.conf. The DHCP service is configured to allocate an IP address from a given range of IP addresses at the time of VM launch. The MAC address is allocated to each VM at every VM launch operation which we have configured at the VM configuration file (/etc/xen/Ubuntu-Guest-VM1.cfg). Mishra, page 5); and
providing, to the network monitor, the identification and a network address for the virtual machine (DHCP service stores the actual configured networking settings (IP address, MAC address etc.) at certain location in Xen (/var/lib/libvirt/dnsmasq/virbr0.status) which is stored on each booting process of VM. MNPD introspects the MAC and IP entries at that location, configured by dnsmasq DHCP service for obtaining actual network configuration information. Mishra, page 5).
As per claim 3, Mishra teaches the method of claim 1, wherein the set of traffic characteristic are selected from a group consisting of a destination network address, a set of source TCP ports, a set of destination TCP ports, a set of source UDP ports, and a set of destination UDP ports (The PCAP files provided by BeCap() module represents the basic statistics of the packet header values such as destination address, source address, prototype, etc. Mishra, page 6).
As per claim 4, Mishra teaches the method of claim 1, wherein virtual machines, of the set of virtual machines, sharing a virtual machine identification communicate with the set of network resources using matching traffic characteristics of the set of traffic characteristics (Dom0 maintains a database named as xenstore which maintains the configuration information of different domains which is shared between them. The domains read and write in the database to communicate with other domains. Mishra, page 3).
As per claim 5, Mishra teaches the method of claim 1, further comprising:
comparing a destination network address of a subset of virtual machines sharing a virtual machine identification to identify a change in a destination network address for the first virtual machine (MNPD provides two-levels of defense from attackers at CNS and CCoS. MNPD performs the traffic monitoring at CNS; providing primary defense from the attacks at CNS. MNPD validates the traffic at virtualization-layer of CCoS and also performs the traffic monitoring at Dom0 of hypervisor; providing second level of defense from attacks at CCoS. The proposed MNPD approach is mainly concerned with the analysis of network traffic traces. It provides the good performance for network attacks detection. Mishra, page 4); and
generating the alert identifying the first virtual machine and the change in the destination network address for the first virtual machine (Behavior analysis Engine (BeEng() trains itself with loaded attack dataset and detects any suspicious network pattern in testing phase. Alert and Logging (Alert_Log()) module generates the alerts and logs if suspicious activity is detected by behavior analysis module. The logs are shared with cloud administrator. Mishra, page 4; See also Algorithm 1 Proposed algorithm for Detecting IP and MAC Spoofing at Hypervisor. Mishra, page 6).
As per claim 6, Mishra teaches the method of claim 1, further comprising:
comparing a destination network address and an IP protocol of a subset of virtual machines sharing a virtual machine identification to identify a change in the IP protocol for the first virtual machine (Traffic validation (TrVal()) module validates the VM traffic for correct IP and MAC address. Only legitimate traffic is allowed to reach to destination after behavior analysis at Dom0. Mishra, page 5); and
generating the alert identifying the first virtual machine and the change in the IP protocol (Algorithm 1 Proposed algorithm for Detecting IP and MAC Spoofing at Hypervisor. Mishra, page 6).
As per claim 7, Mishra teaches the method of claim 1, further comprising: comparing a set of source port numbers and a set of destination port numbers of a subset of virtual machines sharing a virtual machine identification to identify a change in port numbers for the first virtual machine; and generating the alert identifying the first virtual machine and the change in port numbers (A CA performs further analysis on suspicious traffic based on the output log created by MNPD system. The log provides the detailed information of the VM together with its domain ID, domain name and VNI details. Once, the details of machine generating the malicious traffic is known, the port details are extracted from the malicious packet headers. The applications associated with the ports are identified and declared as suspicious. The tenants are warned to remove the applications. If a tenant VM generates a large number of malicious traffic, it is isolated or restored to a previous checkpoint when it was found to be benign. Mishra, page 7).
Claims 8-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492