DETAILED ACTION
This communication is responsive to the application # 16/939,233 filed on July 27, 2020. Claims 1-20 are pending and are directed toward a SYSTEM AND METHOD FOR DETECTING TRANSMISSION OF A COVERT PAYLOAD OF DATA.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
 Claims interpretation
Examiner puts on record that determining that the datagram contains a payload intended for covert transmission is based on determining that the datagram comprises at least one of suspicious condition.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 5-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. Claims 5-15 are indefinite if only other condition/conditions claimed in claim 1 are present.
Claims 11 and 12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. Limitations of statistically common/uncommon errors are not defined.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 6 and 6 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Limitations of claim 5 are alternative to limitations of claim 1, and further limitations of claim 6 are alternative to limitations of claim 5.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-5 and 7-12 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Mileva et al. (Covert Channels in TCP/IP Protocol Stack, Cent. Eur. J. Comp. Sci. • 4(2) • 2014 • 45-66), hereinafter referred to as Mileva.
As per claim 1, Mileva teaches a method for detecting transmission of covert payloads of data (From a network communication point of view, these covert channels can therefore also, make use of network packets as the cover object. These network packets are shared by network nodes while traversing different network topologies before they reach their intended destination. A comprehensive approach to data hiding in the network environment should encompass network behavior as well as address data hiding aspects. Mileva, page 5), said method comprising the steps of:
receiving a datagram at a host within a network (The ICMP is the mechanism used by hosts or routers to send notification of IP datagram problems back to the sender. ICMP packets are encapsulated inside of IP datagrams. The ICMP sends query and error reporting messages. With query messages, ICMP can also diagnose some network problems. In this class of ICMP messages, a node sends a message that is answered in a specific format by the destination node. Mileva, page 26);
determining that processing of the datagram creates an error condition (the implementation of the protocol must be robust. In general, an implementation must be conservative in its sending behavior and liberal in its receiving behavior i.e. it must be careful to send well-formed datagrams but must accept any datagram that it can interpret. Mileva, page 28, and From the network communications perspective, this processing can introduce position error(s) in the sequence of network packets, thereby affecting the covert message, C¤k. Mileva, page 10);
determining that the datagram comprises at least one of suspicious condition selected from the group (Here two sets of datagrams are shown: suspicious and non-suspicious. Suspicious are those that can catch the eye of the network administrator as possessing abnormal data or message as compared to normal packets. Non-suspicious would be those that are engineered well in order to deceive the network monitoring automated devices. From the covert communication point of view, non-suspicious datagrams would be termed as appropriate for data hiding process. Mileva, page 31) consisting of:
an encrypted payload (Wolf establishes the fact that encryption, the basic mechanism of LAN security, cannot ensure the proper blocking of unauthorized information via covert channels. The work points to the unused bandwidth possible for covert transmission, Mileva, page 13);
a destination not matching any known address for hosts within the network (The ICMP address mask request is meant from host to the specific router on the LAN or broadcast message to all the routers on the LAN. The request is filled with zeros in the 32-bit address mask field. This can be used to have covert communication from host to router(s) on the same LAN. Mileva, pages 26-27);
a time to live value matching a number of gateways traversed by said datagram within said network (Covert channels can be created using fields in protocol’s header that are changing during the transmission, like 1-bit-per-packet noisy covert channel using Time To Live (TTL) field, suggested by Qu et al [41]. Zander et al [42] proposed an improved 1-bit-per-packet covert channel encoding in the TTL field, analysing initial TTL values and normal TTL occurring in networks. They suggest using two different starting values of TTL in packets, the typical initial value as High-TTL (binary 1) and High-TTL -1 as Low-TTL (binary 0). Mileva, page 47); and
the error condition being of a particular type (Table 5. Covert channels for TCP. Mileva, page 55);
determining that the datagram contains a payload intended for covert transmission (Table 4. Covert channels for ICMP. Mileva, page 53).
As per claim 2, Mileva teaches the method of claim 1 wherein:
the determination that the datagram comprises at least one of the suspicious conditions is made at the host (Additionally, the Loki client allows a remote attacker to wrap and transmit commands in ICMP payloads and the Loki server, unwraps and executes the commands, sending the results back wrapped in ICMP packets. This channel will work for any network device which does not filter the contents of ICMP Echo traffic, and is very simple to deploy. Mileva, page 52).
As per claim 3, Mileva teaches the method of claim 1 wherein: the network is an IP network (Internet Control Message Protocol (ICMP) is another connectionless protocol in the Internet layer, used to transfer error messages and other information between the nodes. ICMP messages are send encapsulated in IP packets. Mileva, page 52).
As per claim 4, Mileva teaches the method of claim 3 wherein: the host is configured to generate ICMP error messages (In Skeeve, the hidden sender sends an ICMP Echo Request packet to the bounce server with an address of the receiver as a source IP. Mileva, page 52).
As per claim 5, Mileva teaches the method of claim 1 further comprising the steps of: determining that at least two of the suspicious conditions are present prior to determining that the datagram contains the payload intended for covert transmission; and generating an alert message indicating the presence of the suspicious conditions (Manipulation of the IP header can be done in several ways:
• by setting false traffic in the 8-bit Traffic class,
• by setting false flow in the 20-bit Flow Label,
• by setting false source address in the 128-bit Source Address,
• by setting an initial Hop Limit value and manipulating the value of subsequent packets. A drawback of this channel is that packets do not necessarily travel the same route, so the number of intermediate hops may vary. By modifying n packets, n − 1 bits are send,
• by setting a valid value to add an extra extension header in the 8-bit Next Header field, or by increasing value of the Payload Length and append extra data at the end of the packet,
• by modification of the Option Data Length and Option Data fields in the the Hop-by-hop options header. For false router alert, PRBR is 2B, for false padding value PRBR is up to 256B, and for fabrication of one or more options, PRBR is up to 2038B,
• by 4-bytes Reserved field or by fabricating addresses up to 2048 bytes per packet in Routing header with routing Type 0
• by using 8-bit and 2-bit Reserved bits, setting false Next Header or inserting entire false fragment in the Fragment header. In the last case, authors propose two solutions to avoid this fragment to be included in the reassembly process: by inserting an invalid value in Identification field in Fragment header that causes fragment to be dropped, and by inserting overlapping Fragment Offset value that causes data to be overwritten during reassembly,
• by manipulating Option Data Length and Option Data fields with fabricating one or more options (PRBR up to 2038B) or setting false padding values (PRBR up to 256B) in the Destination options header, • by using 2-bytes Reserved field or by creating an entire fake header up to 1022 bytes per packet in the Authentication header, • by creating entire fake header up to 1022 bytes per packet or by setting false padding value up to 255 bytes per packet in the ESP header. Some of these channels can fail in the ICV calculation, and trigger immediate detection, so communication parties need to be careful. The sender needs to calculate ICV after inserting covert data, and the receiver needs to intercept the packet before it reaches its destination. Mileva, page 52).
As per claim 7, Mileva teaches the method of claim 1 wherein: determining that the suspicious condition of the encrypted payload is present prior to determining that the datagram contains the payload intended for covert transmission (Another way is intermediate nodes to intercept the SSH traffic and inserts an additional encrypted message (up to 20B) at the beginning of the already encrypted payload. A 4 byte “magic” number at the beginning marks the presence of a hidden message. Mileva, page 59).
As per claim 8, Mileva teaches the method of claim 1 wherein: determining that the suspicious condition of the destination not matching any known address for hosts within the network is present prior to determining that the datagram contains the payload intended for covert transmission (The ICMP address mask request is meant from host to the specific router on the LAN or broadcast message to all the routers on the LAN. The request is filled with zeros in the 32-bit address mask field. This can be used to have covert communication from host to router(s) on the same LAN. Mileva, pages 26-27).
As per claim 9, Mileva teaches the method of claim 1 wherein: determining that the suspicious condition of the time to live value matching a number of gateways traversed by said datagram within said network is present prior to determining that the datagram contains the payload intended for covert transmission (Covert channels can be created using fields in protocol’s header that are changing during the transmission, like 1-bit-per-packet noisy covert channel using Time To Live (TTL) field, suggested by Qu et al [41]. Zander et al [42] proposed an improved 1-bit-per-packet covert channel encoding in the TTL field, analysing initial TTL values and normal TTL occurring in networks. They suggest using two different starting values of TTL in packets, the typical initial value as High-TTL (binary 1) and High-TTL -1 as Low-TTL (binary 0). Mileva, page 47).
As per claim 10, Mileva teaches the method of claim 1 wherein: determining that the suspicious condition of the error condition being of at least one particular type is present prior to determining that the datagram contains the payload intended for covert transmission (Table 5. Covert channels for TCP. Mileva, page 55).
As per claim 11, Mileva teaches the method of claim 10 wherein: the at least one particular type of error condition comprises statistically uncommon errors (Table 1. Covert storage channels for IPv4. Mileva, page 48).
As per claim 12, Mileva teaches the method of claim 10 wherein: the at least one particular type of error condition comprises statistically common errors (Table 1. Covert storage channels for IPv4. Mileva, page 48).
As per claim 13, Mileva teaches the method of claim 10 wherein: the at least one particular type of error condition is related to fragmentation (Table 1. Covert storage channels for IPv4. Mileva, page 48).
As per claim 14, Mileva teaches the method of claim 10 wherein: the at least one particular type of error condition is related to formation of the datagram (Table 1. Covert storage channels for IPv4. Mileva, page 48).
As per claim 15, Mileva teaches the method of claim 10 wherein: the at least one particular type of error condition is unrelated to activity expected on the network (A 4 byte “magic” number at the beginning marks the presence of a hidden message. The hidden message can be carried in the Random padding field [34] also, with length up to 255B. Mileva, page 59).

Claims 16-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation (obviousness) as used above.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are  provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 17/368,498 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because The above claims of the present application would have been obvious over claims 1-20 of the reference application because each element of the claims of the present application is anticipated by the claims of the copending application and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993))..
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Allowable Subject Matter
Claim 6 is indicated as allowable over prior art.
The following is a statement of reasons for the indication of allowable subject matter:  
None of the cited references teaches limitation “determining that each of the suspicious conditions are present prior to determining that the datagram contains the payload intended for covert transmission”.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492