DETAILED ACTION
This office action is in reply to applicant communication filed on June 01, 2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims 1-20 have been amended.
Claims 1-20 are pending. 

Response to Argument
Applicant’s arguments filed on June 01, 2022 with respect to the 35 U.S.C. 102/103 rejections have been fully considered but are moot in view of new ground(s) of rejection.

Applicant’s argues that the prior art on record fails to teach the amended limitation, “selecting a novelty detection technique from a plurality novelty detection techniques based on a size of the given cluster” of the independent claims. However, upon further consideration a new ground(s) of rejection is made using newly discovered prior arts to Tsai (US Pub. No. 2008/0306715).

Examiner first would like to point out how the term “novelty detection techniques” in the amended claim limitation is interpreted by the office:

"novelty detection techniques" is interpreted by the office as a method of detecting abnormal/intrusion activity in a network based on the size/density of cluster/classification of data.  The newly discovered prior art (Tsai’s reference) disclosed this interpretation and the amended limitation as, (paragraph 2 of Tsai, the present invention relates to a detecting method over network intrusion; particularly, to a detecting method creating a detecting model by a data clustering technique incorporated with density-based and grid-based algorithms to detect intrusion linking toward a network). Further Tsai disclosed the method of selecting a detection model as, (paragraph 11 of Tsai, creating at least one feature model by a data clustering technique incorporated with density-based and grid-based algorithms through a model-creating module; evaluating the at least one feature model through a model-identifying module to select a detecting model; and detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module). Therefore, the newly discovered prior art to Tsai teaches the amended claim limitation of independent claim as explained above.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4, 6-11, 13-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Satish (US Pub. No. 2011/0271341) in view of Abbaszadeh (US Pub. No. 2018/0191758) and further in view of Tsai (US Pub. No. 2008/0306715).

	As per claim 1 Satish discloses:
A method of detecting and preventing attacks in a network, comprising: determining a plurality of network behaviors of a process by monitoring the process; (paragraph 55 of Satish, software datasets are established 410. The software datasets include the malware dataset 312 and the goodware dataset 314. The security server 110 collects 412 behavior traces for the software in the datasets by, e.g., executing the software in emulation environments)
Generating a plurality of intended states for the process based on subsets of the plurality of network behaviors; (paragraph 55 of Satish, the security server 110 normalizes 414 the behavior traces of the software by placing the traces in a standard representation. As part of the normalization, the security server 110 also groups 414 related sequential behaviors in the traces into operations to form behavior sequences).
Determining a plurality of intended state clusters by applying a clustering technique to the plurality of intended states; (paragraph 58 of Satish, the security server 110 clusters 416 similar behavior sequences together using, e.g., edit distance as the measure of similarity. The security module 110 analyzes 418 clusters that contain sequences predominantly from malware in order to identify candidate sequences of behaviors that can be used identify the malware. The security module 110 selects from among the candidate sequences for a malware cluster and uses the selected candidate sequence to generate 418 a behavioral signature for the malware family represented by the cluster. The security server 110 distributes 420 the signatures generated for the malware clusters to the security modules 116 of the clients 112).
Determining a state of the process; (paragraph 20 of Satish, the security module 116 detects malware at the client 112 by observing the behaviors of software executing at the client to determine whether the behaviors match any of the behavioral signatures).
Using the detection technique to determine, based on the given cluster and the state of the process, whether to generate a security alert for the process. (Paragraph 20 of Satish, the detection data obtained by the security module 116 include behavioral signatures. A behavioral signature describes a sequence of behaviors that are characteristic of malware. The security module 116 detects malware at the client 112 by observing the behaviors of software executing at the client to determine whether the behaviors match any of the behavioral signatures).
Satish teaches the method of detecting malware by observing the behaviors of software executing and comparing to behavioral signatures (see paragraph 20 of Satish) but fails to disclose:
Identifying a given cluster of the plurality of intended state clusters that corresponds to the state of the process.
However, in the same field of endeavor, Satish teaches this limitation as, (paragraph 68 of Abbaszadeh, FIG. 13 is an operating method for threat detection according to some embodiments. In particular, observation is performed at S1310 and distances to cluster centroids (also called cluster assignment) are computed at S1320) and (paragraph 69 of Abbaszadeh, the nearest cluster may then be determined at S1330 and used to select an appropriate cluster-based decision boundary at S1340) and (paragraph 70 of Abbaszadeh, the selected cluster-based decision boundary can then be used to perform anomaly detection at S1350 and a current system status may be generated and/or transmitted at S1360. For example, the system may compare the generated current monitoring node feature vectors with the selected appropriate cluster-based decision boundary and automatically transmit a threat alert signal based on results of those comparisons).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Satish and include the above limitation using the teaching of Abbaszadeh in order to enhance the security of computing device by observing and comparing with the nearest cluster (see paragraph 68 of Abbaszadeh).
The combination of Satish and Abbaszadeh teaches the method of detecting malware by observing the behaviors of software executing and comparing to behavioral signatures (see paragraph 20 of Satish) but fails to disclose:
Selecting a novelty detection technique from a plurality of novelty detection techniques based on a size of the given cluster.
However, in the same field of endeavor, Tsai teaches this limitation as, (paragraph 2 of Tsai, the present invention relates to a detecting method over network intrusion; particularly, to a detecting method creating a detecting model by a data clustering technique incorporated with density-based and grid-based algorithms to detect intrusion linking toward a network) and (paragraph 11 of Tsai, creating at least one feature model by a data clustering technique incorporated with density-based and grid-based algorithms through a model-creating module; evaluating the at least one feature model through a model-identifying module to select a detecting model; and detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Satish and Abbaszadeh to include the above limitation using the teaching of Tsai in order to enhance the security of network by detection an intrusion activity using a detection model appropriate to density/size-based clustering system (see paragraph 2 of Tsai).

Claims 8 and 15 are rejected under the same reason set forth in rejection of claim 1:

As per claim 2 Satish in view of Abbaszadeh and further in view of Tsai discloses:
The method of claim 1, wherein generating the plurality of intended states of the process comprises extracting features from the subsets of the plurality of network behaviors to produce feature vectors. (paragraph 55 of Satish, the security server 110 normalizes 414 the behavior traces of the software by placing the traces in a standard representation. As part of the normalization, the security server 110 also groups 414 related sequential behaviors in the traces into operations to form behavior sequences).

Claims 9 and 16 are rejected under the same reason set forth in rejection of claim 2:

As per claim 3 Satish in view of Abbaszadeh and further in view of Tsai discloses:
Satish teaches the method of detecting malware by observing the behaviors of software executing and comparing to behavioral signatures (see paragraph 20 of Satish) but fails to disclose:
The method of claim 2, wherein applying the clustering technique to the plurality of intended states comprises applying k-modes or k-means clustering to the feature vectors.
However, in the same field of endeavor, Satish teaches this limitation as, (paragraph 56 of Abbaszadeh, note that the identification of clusters described in connection with FIG. 9 might be associated with, for example, a K-means clustering process. As used herein, the term "K-means" clustering process might refer to, for example, a method of vector quantization wherein n observations are partitioned into k clusters).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Satish and include the above limitation using the teaching of Abbaszadeh in order to enhance the security of computing device by observing and comparing with the observed process using a faster clustering system.

Claims 10 and 17 are rejected under the same reason set forth in rejection of claim 3:

As per claim 4 Satish in view of Abbaszadeh and further in view of Tsai discloses:
Satish teaches the method of detecting malware by observing the behaviors of software executing and comparing to behavioral signatures (see paragraph 20 of Satish) but fails to disclose:
The method of claim 1, wherein identifying the given cluster of the plurality of intended state clusters that corresponds to the state of the process comprises comparing the state of the process to a reference point of the given cluster.
However, in the same field of endeavor, Satish teaches this limitation as, (paragraph 70 of Abbaszadeh, the selected cluster-based decision boundary can then be used to perform anomaly detection at S1350 and a current system status may be generated and/or transmitted at S1360. For example, the system may compare the generated current monitoring node feature vectors with the selected appropriate cluster-based decision boundary and automatically transmit a threat alert signal based on results of those comparisons).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Satish and include the above limitation using the teaching of Abbaszadeh in order to enhance the security of computing device by observing and comparing with the selected cluster (see paragraph 70 of Abbaszadeh).

Claims 11 and 18 are rejected under the same reason set forth in rejection of claim 4:

As per claim 6 Satish in view of Abbaszadeh and further in view of Tsai discloses:
The method of claim 1, wherein the security alert is generated if the novelty detection technique indicates that the state of the process is an anomaly. (Paragraph 20 of Satish, the detection data obtained by the security module 116 include behavioral signatures. A behavioral signature describes a sequence of behaviors that are characteristic of malware. The security module 116 detects malware at the client 112 by observing the behaviors of software executing at the client to determine whether the behaviors match any of the behavioral signatures).

Claims 13 and 20 are rejected under the same reason set forth in rejection of claim 6:

As per claim 7 Satish in view of Abbaszadeh and further in view of Tsai discloses:
Satish teaches the method of detecting malware by observing the behaviors of software executing and comparing to behavioral signatures (see paragraph 20 of Satish) but fails to disclose:
The method of claim 1, wherein the state of the process comprises a feature vector indicating one or more of: the process did or did not make outbound public address access; the process did or did not make outbound private address access; the process did or did not make an outbound connection on an ephemeral port; the process did or did not make an outbound connection on an a well-known port; the process did or did not receive an inbound connection on an ephemeral port; the process did or did not receive an inbound connection on an a well-known port; the process did or did not make an outbound connection on an a specific port; or the process did or did not receive an inbound connection on a particular port.
However, in the same field of endeavor, Satish teaches this limitation as, (paragraph 41 of Abbaszadeh, attack assessments might be performed in a post decision module (e.g., the localization element 356) to isolate whether the attack is related to any of the sensor, controller, or actuator (e.g., indicating which part of the monitoring node). This may be done by individually monitoring, overtime, the location of the feature vector with respect to the corresponding cluster-based decision boundary. For example, when a sensor 334 is spoofed, the attacked sensor feature vector will cross the one cluster-based decision boundary earlier than the rest of the vectors as described with respect to FIGS. 4 through 6. If a sensor is declared to be anomalous, and the load command to the auxiliary equipment is later determined to be anomalous, it may be determined that the original attack, such as signal spoofing, occurred on the sensor 334).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Satish and include the above limitation using the teaching of Abbaszadeh in order to enhance the security of computing device by observing and comparing with the cluster-based decision boundary (see paragraph 41 of Abbaszadeh).

Claim 14 is rejected under the same reason set forth in rejection of claim 7:

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Satish (US Pub. No. 2011/0271341) in view of Abbaszadeh (US Pub. No. 2018/0191758) and further in view of Tsai (US Pub. No. 2008/0306715) and Mohaisen (US Pub. No. 2015/0244733).

As per claim 5:
The combination of Satish, Abbaszadeh, and Tsai teaches the method of detecting malware by observing the behaviors of software executing and comparing to behavioral signatures (see paragraph 20 of Satish) but fails to disclose:
The method of claim 1, wherein the novelty detection technique is selected from: a tree-based model: weighted hamming distances; or review by a user. 
However, in the same field of endeavor, Mohaisen teaches this limitation as, (paragraph 54 of Mohaisen, in terms of clustering operations, platforms and techniques herein can employ several distance metrics within a feature spaced or other abstract space with which to group samples, like the Jaccard index, cosine similarity, Hamming distance, Euclidean distance, and correlation. On the other hand, options for linkage include average, complete (maximum), median, single (minimum), ward, and centroid, among others).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Satish, Abbaszadeh, and Tsai to include the above limitation using the teaching of Mohaisen in order to enhance the security of computing device by observing and comparing with the nearest cluster based on humming distance (see paragraph 54 of Mohaisen).

Claims 12 and 19 are rejected under the same reason set forth in rejection of claim 5: 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Siddiqui (US Pub. No. 2018/0288077). Siddiqui discloses the methods and systems for malware detecting using scalable and subscription-based system.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434