Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Status of Claims
Claims 1-20 are subject to examination.  

Priority
Applicant’s claim for domestic priorities as claimed in this application under 35 U.S.C. 119(e) is acknowledged.  (This application is a CON of 16/543,284, 08/16/2019, PAT 10798123; 16/543,284 is a CON of 16/259,164 01/28/2019 PAT 10389750, 16/259,164 is a CON of 15/429,005 02/09/2017 PAT 10193921, 15/429,005 has PRO 62/374,521 08/12/2016).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being anticipated over claims 1-20 of U.S. Patent No. 10798123. 

Below is a comparison of limitations of claims 1-20 of this application 17/035,825 versus the claims 1-20 of Patent No. 10798123.
This application 17/035,825
U.S. Patent No. 10798123
1. A method for managing access to a public network, the method comprising:

utilizing a control system to control a computing device to access a first node in the public network;

applying a personality profile to the computing device to access a second node in the public network;







detecting an indication of a malware program stored in the public network accessible through the second node;

storing information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and
creating malware prevention rules based on the information of the malware program.

2. The method of claim 1, wherein creating malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.

3. The method of claim 2, wherein creating malware prevention rules based on the stored information further comprises:
preventing the malware program from spreading by sharing the flagged network address with another computing device.

4. The method of claim 1, further comprising obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

7. The method of claim 1, wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link with in the first node.

5. The method of claim 4, wherein 
applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

6. The method of claim 1, further comprising adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network;

8. The method of claim 1, further comprising accessing an aggregation service of the public network to determine the first node accessed by the computing device.

9. A malware detection system comprising: a computing device in communication with a public network; and a control device in communication with the computing device, the control device comprising: a processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instruct a browser program executed by the computing device to access a first node in the public network; 
apply a personality profile to the computing device to access a second node in the public network; 








detect an indication of a malware program stored in the public network accessible through the second node; 
store information of the malware program in a storage device based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and 
create malware prevention rules based on the information of the malware program.

10. The system of claim 9, wherein creation of the malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.

11. The system of claim 10, wherein creation of the malware prevention rules based on the stored information further comprises preventing the malware program from spreading by sharing the flagged network address with another computing device.

12. The system of claim 9, wherein 
the processing device of the control device further performs the operation of 
obtain a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

13. The system of claim 12, wherein to 
apply the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

14. The system of claim 9, wherein the processing device of the control device further 
performs the operation to 
adjust the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

15. The system of claim 9  wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network,  or a selected embedded link within the first node.

16. The system of claim 9, wherein the processing device of the control device further performs the operation to 
access an aggregation service of the public network to determine the first node accessed by the computing device.

17. A non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising:
utilize a control system to control a computing device to access a first node in the public network;
apply a personality profile to the computing device to access a second node in the public network;







detect an indication of a malware program stored in the public network accessible through the second node;
store information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of 
the public network; and
create malware prevention rules based on the information of the malware program.
 
18. The non-transitory computer-readable medium of claim 17, wherein creation of the malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.

19. The non-transitory computer-readable medium of claim 18, wherein creation of the malware prevention rules based on the stored information further comprises preventing the malware program from spreading by sharing the flagged network address with another computing device.

20. The non-transitory computer-readable medium of claim 17, wherein the instructions further comprise: obtain a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; and adjust the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network.
1. A method for managing access to a public network, the method comprising: 

utilizing a control system to control a computing device to access a first node in the public network; 

applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device; analyzing transmission of information between the computing device and the public network during accessing of the second node of the public network; 
detecting an indication of a malware program stored in the public network accessible through the second node; 

storing information of the malware program in a database based on the transmission of information between the computing device and the public network during accessing of the second node of the public network; and 
creating malware prevention rules based on the information of the malware program.

2. The method of claim 1, wherein creating malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.

3. The method of claim 2, wherein creating malware prevention rules based on the stored information further comprises: 
preventing the malware program from spreading by sharing the flagged network address with another computing device.

4. The method of claim 1, further comprising obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

7. The method of claim 1, wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link with in the first node.

5. The method of claim 4, wherein 
applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

6. The method of claim 1, further comprising adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

8. The method of claim 1, further comprising accessing an aggregation service of the public network to determine the first node accessed by the computing device.

9. A malware detection system comprising: a computing device in communication with a public network; and a control device in communication with the computing device, the control device comprising: a hardware processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instruct a browser program executed by the computing device to access a first node in the public network; 
apply a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control the browser program; 
analyze an exchange of information between the computing device and the public network during accessing of the second node of the public network; 
detect an indication of a malware program stored in the public network accessible through the second node; 
store information of the malware program in a storage device based on the transmission of information between the computing device and the public network during accessing of the second node of the public network; and 
create malware prevention rules based on the information of the malware program.

10. The system of claim 9, wherein creation of the malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.

11. The system of claim 10, wherein creation of the malware prevention rules based on the stored information further comprises preventing the malware program from spreading by sharing the flagged network address with another computing device.

12. The system of claim 9, wherein the processing device of the control device further performs the operation of 
obtain a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

13. The system of claim 12, wherein to 
apply the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

14. The system of claim 9, wherein the processing device of the control device further performs the operation to 
adjust the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

15. The system of claim 9, wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link within the first node.

16. The system of claim 9, wherein the processing device of the control device further performs the operation to 
access an aggregation service of the public network to determine the first node accessed by the computing device.

17. A non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising: 
utilize a control system to control a computing device to access a first node in the public network; 
apply a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device; analyze transmission of information between the computing device and the public network during accessing of the second node of the public network; 
detect an indication of a malware program stored in the public network accessible through the second node; 
store information of the malware program in a database based on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network; and 
create malware prevention rules based on the information of the malware program.

18. The non-transitory computer-readable medium of claim 17, wherein creation of the malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.

19. The non-transitory computer-readable medium of claim 18, wherein creation of the malware prevention rules based on the stored information further comprises preventing the malware program from spreading by sharing the flagged network address with another computing device.

20. The non-transitory computer-readable medium of claim 17, wherein the instructions further comprise: obtain a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; and adjust the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network.


Claims 1, 4-9, 12-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-6, 10-15, 18 of U.S. Patent No. 10389750 in view of Tal et al., US 20150163234 A1. 
Below is a comparison of limitations of claims 1, 4-9, 12-17 of this application 17/035,825 versus the claims 1-4, 8-11, 14 of Patent No. 10389750.
This application 17/035,825
Patent No. 10389750
1. A method for managing access to a public network, the method comprising:

utilizing a control system to control a computing device to access a first node in the public network;
applying a personality profile to the computing device to access a second node in the public network;


















detecting an indication of a malware program stored in the public network accessible through the second node;

storing information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and
creating malware prevention rules based on the information of the malware program.
4. The method of claim 1, further comprising obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

7. The method of claim 1, wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link with in the first node.

5. The method of claim 4, wherein 
applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

6. The method of claim 1, further comprising adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network;

8. The method of claim 1, further comprising 

accessing an aggregation service of the public network to determine the first node accessed by the computing device.

9. A malware detection system comprising:

a computing device in communication with a public network; and a control device in communication with the computing device, the control device comprising:
a processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instruct a browser program executed by the computing device to access a first node in the public network; 
apply a personality profile to the computing device to access a second node in the public network; 


















detect an indication of a malware program stored in the public network accessible through the second node; 
store information of the malware program in a storage device based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and 
create malware prevention rules based on the information of the malware program.


12. The system of claim 9, wherein 
the processing device of the control device further performs the operation of 
obtain a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

13. The system of claim 12, wherein to 
apply the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

14. The system of claim 9, wherein the processing device of the control device further 
performs the operation to 
adjust the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

15. The system of claim 9  wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network,  or a selected embedded link within the first node.

16. The system of claim 9, wherein the processing device of the control device further performs the operation to 
access an aggregation service of the public network to determine the first node accessed by the computing device.

17. A non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising:
utilize a control system to control a computing device to access a first node in the public network;
apply a personality profile to the computing device to access a second node in the public network;
















detect an indication of a malware program stored in the public network accessible through the second node;
store information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of 
the public network; and
create malware prevention rules based on the information of the malware program
 
1. A method for managing access to a public network, the method comprising: 

utilizing a control system to control a computing device to access a first node in the public network; 
applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device; 
obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; 
analyzing transmission of information between the computing device and the public network during accessing of the second node of the public network; 
adjusting the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network; 
detecting an indication of a malware program stored in the public network accessible through the second node; and 

storing information of the malware program in a database based on the transmission of information between the computing device and the public network during accessing of the second node of the public network.



Above Claim 1 limitations:
obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; 

3. The method as recited in claim 1 wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link within the first node.

2. The method as recited in claim 1 wherein applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

Above Claim 1 limitations: 
adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network;

4. The method as recited in claim 1 further comprising: 
accessing an aggregation service of the public network to determine the first node accessed by the computing device.

8. A malware detection system comprising: 

a computing device in communication with a public network; and a control device in communication with the computing device, the control device comprising: 
a processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instructing a browser program executed by the computing device to access a first node in the public network; 
applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control the browser program; 
obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; 
analyzing an exchange of information between the computing device and the public network during accessing of the second node of the public network; 
adjusting the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network; 
detecting an indication of a malware program stored in the public network accessible through the second node; and 
storing information of the malware program in a storage device based on the transmission of information between the computing device and the public network during accessing of the second node of the public network.






Above claim 8 limitations:
obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; 

9. The system as recited in claim 8 wherein applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.



Above claim 8 limitations:
adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network

10. The system as recited in claim 8 wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link within the first node.

11. The system as recited in claim 8 wherein the processing device of the control device further performs the operation 
accessing an aggregation service of the public network to determine the first node accessed by the computing device.

14. A non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising: 
utilizing a control system to control a computing device to access a first node in the public network; 
applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device; obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program; 
analyzing transmission of information between the computing device and the public network during accessing of the second node of the public network; 
adjusting the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network; 
detecting an indication of a malware program stored in the public network accessible through the second node; and 
storing information of the malware program in a database based on the transmission of information between the computing device and the public network during accessing of the second node of the public network.



The patent claims do not contain, limitations, creating malware prevention rules based on the information of the malware program of the claims 1, 9, 17 of this application is not disclosed in the patent claims, which Tal et al., US 20150163234 A1 discloses,
[0110] The report processor 140 may be operable to receive the automated report 130 from the data scanner 120, to analyze the automated report 130 and to generate at least one protective element 150 directed towards removing or quarantining at least one identified web-based malware. Various protective elements 150, providing rule based logic may be generated, as appropriate, so as to prevent exploitation of the web-based malware. For example, an indication for a malware may be found in "http://website.com/index.php" file, having an &lt;iframe&gt; (an inline frame used to embed another document within the current HTML document) with a malicious URL leading to a potential harmful networked resource. The rule based logic would remove the malicious URL (optionally the &lt;iframe&gt; all together) by generating a rule associated with the malicious URL (or the &lt;iframe&gt; as a whole) for this specific file (index.php), as described hereinafter in FIG. 2C.
[0127] In this situation, the rule based logic may add the logic to remove the malicious URL (optionally, delete the &lt;iframe&gt; section all together) by generating at least one rule associated with the malicious URL (or the &lt;iframe&gt; as a whole) for the particular web file (index.php). Each time, the protective agent 35, upon receiving the web file (index.php) will apply the associated rule(s), removing the malicious URL from the web file and forward the filtered file to the requesting client.

It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to include creating malware prevention rules based on the information of the malware program in the patent claims. The created rule based on the analysis would prevent exploitation of the malware program such as web-based malware or malicious URL leading to a potential harmful networked resource including a software or application. Each time the web file or software or application or URL is received, the created rule would be applied to remove the malicious or malware to protect the element, para 110, 127.

Claims 1, 4-9, 12-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-6, 10-15, 18 of U.S. Patent No. 10193921 in view of Tal et al., US 20150163234 A1. 
Below is a comparison of limitations of claims 1, 4-9, 12-17 of this application 17/035,825 versus the claims 1-6, 10-15, 18 of Patent No. 10193921.
This application 17/035,825
Patent No. 10193921
1. A method for managing access to a public network, the method comprising:

utilizing a control system to control a computing device to access a first node in the public network;

applying a personality profile to the computing device to access a second node in the public network;










detecting an indication of a malware program stored in the public network accessible through the second node;

storing information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and
creating malware prevention rules based on the information of the malware program.
4. The method of claim 1, further comprising obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.


5. The method of claim 4, wherein applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

6. The method of claim 1, further comprising adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network;

7. The method of claim 1, wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network, or a selected embedded link with in the first node.

8. The method of claim 1, further comprising accessing an aggregation service of the public network to determine the first node accessed by the computing device.

9. A malware detection system comprising:

a computing device in communication with a public network; and

a control device in communication with the computing device, the control device comprising:


a processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instruct a browser program executed by the computing device to access a first node in the public network; 
apply a personality profile to the computing device to access a second node in the public network; 







detect an indication of a malware program stored in the public network accessible through the second node; 

store information of the malware program in a storage device based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and 
create malware prevention rules based on the information of the malware program.
12. The system of claim 9, wherein 
the processing device of the control device further performs 
the operation of obtain a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

13. The system of claim 12, wherein to apply the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

14. The system of claim 9, wherein the processing device of the control device further 
performs the operation to adjust the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

15. The system of claim 9  wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the first node in the public network,  or a selected embedded link within the first node.


16. The system of claim 9, wherein the processing device of the control device further 
performs the operation to access an aggregation service of the public network to determine the first node accessed by the computing device.

17. A non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising:

utilize a control system to control a computing device to access a first node in the public network;

apply a personality profile to the computing device to access a second node in the public network;










detect an indication of a malware program stored in the public network accessible through the second node;

store information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of the public network; and
create malware prevention rules based on the information of the malware program
1. A method for managing access to a public network, the method comprising:

utilizing a control system to control a computing device to access an initial node in the public network;

applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device;

analyzing transmission of information between the computing device and the public network during accessing of the second node of the public network;

detecting an indication of a malware program stored in the public network accessible through the second node; and

storing information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of the public network.


2. The method of claim 1 further comprising:
obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.


3. The method of claim 2 wherein applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

5. The method of claim 1 further comprising:
adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

4. The method of claim 2 wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a Scrolling input, a length of viewing of the initial node in the public network, or a selected embedded link within the initial node.

6. The method of claim 1 further comprising: accessing an aggregation service of the public network to determine the initial node accessed by the computing device.

10. A malware detection system comprising:

at least one computing device in communication with a public network; and

a control device in communication with the at least one computing device, the control device comprising:

a processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instructing a browser program executed by the computing device to access an initial node in the public network; applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control the browser program; analyzing an exchange of information between the computing device and the public network during accessing of the second node of the public network; 

detecting an indication of a malware program stored in the public network accessible through the second node;  

storing information of the malware program in a storage device based on the transmission of information between the computing device and the public network during accessing of the second node of the public network.


11. The system of claim 10 wherein 
the processing device of the control device further performs 
the operation of obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program.

12. The system of claim 11 wherein applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device.

14. The system of claim 10 wherein the processing device of the control device further performs the operation adjusting the personality profile based at least on the transmission of information between the computing device and the public network during accessing of the second node of the public network.

13. The system of claim 11 wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the initial node in the public network, or a selected embedded link within the initial node.

15. The system of claim 10 wherein the processing device of the control device further performs the operation accessing an aggregation service of the public network to determine the initial node accessed by the computing device.

18. A non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising:

utilizing a control system to control a computing device to access an initial node in the public network;

applying a personality profile to the computing device to access a second node in the public network, 
the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device;

analyzing transmission of information between the computing device and the public network during accessing of the second node of the public network;

detecting an indication of a malware program stored in the public network accessible through the second node; and

storing information of the malware program in a database based on the transmission of information between the computing device and the public network during accessing of the second node of the public network.




The patent claims do not contain, limitations, creating malware prevention rules based on the information of the malware program of the claims 1, 9, 17 of this application is not disclosed in the patent claims, which Tal et al., US 20150163234 A1 discloses,
[0110] The report processor 140 may be operable to receive the automated report 130 from the data scanner 120, to analyze the automated report 130 and to generate at least one protective element 150 directed towards removing or quarantining at least one identified web-based malware. Various protective elements 150, providing rule based logic may be generated, as appropriate, so as to prevent exploitation of the web-based malware. For example, an indication for a malware may be found in "http://website.com/index.php" file, having an &lt;iframe&gt; (an inline frame used to embed another document within the current HTML document) with a malicious URL leading to a potential harmful networked resource. The rule based logic would remove the malicious URL (optionally the &lt;iframe&gt; all together) by generating a rule associated with the malicious URL (or the &lt;iframe&gt; as a whole) for this specific file (index.php), as described hereinafter in FIG. 2C.
[0127] In this situation, the rule based logic may add the logic to remove the malicious URL (optionally, delete the &lt;iframe&gt; section all together) by generating at least one rule associated with the malicious URL (or the &lt;iframe&gt; as a whole) for the particular web file (index.php). Each time, the protective agent 35, upon receiving the web file (index.php) will apply the associated rule(s), removing the malicious URL from the web file and forward the filtered file to the requesting client.

It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to include creating malware prevention rules based on the information of the malware program in the patent claims. The created rule based on the analysis would prevent exploitation of the malware program such as web-based malware or malicious URL leading to a potential harmful networked resource including a software or application. Each time the web file or software or application or URL is received, the created rule would be applied to remove the malicious or malware to protect the element, para 110, 127.

Specification
The title is objected to because the title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. The present title is well known in the art (please see cited arts), too broad and not sufficient for proper classification of the claimed subject matter. The title should also reflect claimed invention,
CREATING MALWARE PREVENTION RULES USING MALWARE DETECTION AND PREVENTION SYSTEM, please refer to MPEP 606 for title contents.
Correction is required.   

Drawings
The figures submitted on the filing date of this application are acknowledged. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


NOTE: Below rejections are substantially from office action dated 7/6/2018 of parent application 15/429,005.
Claims 1, 8, 9, 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Baddour et al. (US 20080010683) in view of Wang et al. (US 20130145465) and Tal et al., US 20150163234.
Referring claims 1, 9, 17, Baddour teaches A method for managing access to a public network, the method comprising: a non-transitory computer-readable medium encoded with instructions for detecting malware in a public network, the instructions, executable by a processor, comprising:. A method for managing access to a public network, the method comprising: utilizing a control system to, a malware detection system comprising: a computing device in communication with a public network; and a control device in communication with the computing device, the control device comprising: a processing device; and a computer-readable medium connected to the processing device configured to store information and instructions that, when executed by the processing device, performs the operations of: instruct a browser program executed by: the computing device to access a first node in the public network, utilizing a control system to control a computing device to access an initial node in the public network; (par.70 of Baddour, using honey client system including control servers 220 to control a plurality of honey miners to visit web sites and mimic human browser behavior in an attempt to detect malicious code on the websites. The websites comprise at least an initial node)
applying a personality profile to the computing device to access a second node in the public network, the personality profile comprising a plurality of inputs provided to the computing device to control a browser program displayed on a display of the computing device; (par.71 of Baddour, the control servers provide the URLs to the honey miners. Par.72 of Baddour, the control servers control the honey miners which include actual web browsing software which is configured to visit websites according to the provided URLs and access content on the websites via the browser software. Par.73 of Baddour, “the URL 232 may often include various pages from the same web domains, as the miners may have been configured to crawl through the links in the websites.” The URLs are the profile applied to the honey miners and are the inputs. Crawling through the links in the websites means accessing at least a second node via the links. Par.42 and fig.1, the honey miners are client computers with monitor capable of displaying the web browser. Baddour does not expressly teach “personality” even though the act of mimicking human browser behavior disclosed in par.70 can be interpreted as implicit disclosure of it.)
analyzing transmission of information between the computing device and the public network during accessing of the second node of the public network; detecting an indication of a malware program stored in the public network accessible through the second node; and (par.70, 75 of Baddour, analyzing content on the websites at the URLs to detect malicious code and categorize the URLs with a score. The analyzed content is understood to also include content of the selected and followed links (second node) as discussed above in par.73)
storing information of the malware program in a database based on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network. (par.85 of Baddour, storing URLs having malicious content that has been identified with one or more categories: keyloggers, viruses, worms, etc.)
Baddour teaches, in par.70, controlling the honey miners which include web browsing software to mimic human behavior when accessing the websites. Baddour does not expressly teach mimicking by applying a personality. However, Wang teaches, in par.24, generating honey activity for the honey entities (e.g., honey miners) to deceive malicious attackers. Par.39, deceiving the attackers by emulating a real user with a honey user with real functionality associated with the real user (personality). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour in view of Wang to mimicking human behavior by emulating a real human/user with activity and functionality associated with the real human/user (personality) in order to enhancing the chance of successfully deceiving the attackers/malwares.
Baddour and Wang do not disclose creating malware prevention rules based on the information of the malware program, which Tal discloses,
[0110] The report processor 140 may be operable to receive the automated report 130 from the data scanner 120, to analyze the automated report 130 and to generate at least one protective element 150 directed towards removing or quarantining at least one identified web-based malware. Various protective elements 150, providing rule based logic may be generated, as appropriate, so as to prevent exploitation of the web-based malware. For example, an indication for a malware may be found in "http://website.com/index.php" file, having an &lt;iframe&gt; (an inline frame used to embed another document within the current HTML document) with a malicious URL leading to a potential harmful networked resource. The rule based logic would remove the malicious URL (optionally the &lt;iframe&gt; all together) by generating a rule associated with the malicious URL (or the &lt;iframe&gt; as a whole) for this specific file (index.php), as described hereinafter in FIG. 2C.
[0127] In this situation, the rule based logic may add the logic to remove the malicious URL (optionally, delete the &lt;iframe&gt; section all together) by generating at least one rule associated with the malicious URL (or the &lt;iframe&gt; as a whole) for the particular web file (index.php). Each time, the protective agent 35, upon receiving the web file (index.php) will apply the associated rule(s), removing the malicious URL from the web file and forward the filtered file to the requesting client.

It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to include creating malware prevention rules based on the information of the malware program in the patent claims. The created rule based on the analysis would prevent exploitation of the malware program such as web-based malware or malicious URL leading to a potential harmful networked resource including a software or application. Each time the web file or software or application or URL is received, the created rule would be applied to remove the malicious or malware to protect the element, para 110, 127.

Regarding claim 8, 16, Baddour/Wang/ Tal teach accessing an aggregation service of the public network to determine the initial node accessed by the computing device. (par.71 of Baddour, the control servers extracts URLs (initial node) from the URL database (aggregation service))

Claims 4-5, 7, 12, 13, 15, is/are rejected under 35 U.S.C. 103 as being unpatentable over Baddour et al. (US 20080010683 A1) in view of Tal, Wang and further in view of Thioux et al. (US 20170289191 A1).

Regarding claim 4, 12, Baddour/Wang/Tal do not teach obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program. However, Thioux teaches, in par.425-430 (supports in par.137-143 of provisional application 62315920), that web browser’s cached data (use history of browser program) is modified to decoy user and password associated with URL of a website (par.425). The decoy user and password resemble a real user's credentials. The modified web browser’s cached data is modified to deceived infiltrator wno accesses the endpoint’s desktop (par.426). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour/Wang in view of Thioux to use web browser's cached data for the personality profile, transmit and apply it to the honey miners so that it is harder for the infiltrator/malware to recognize that they are in a decoy client/network.

Regarding claim 5, 13, Baddour/Wang/Tal/Thioux teach wherein applying the personality profile to the computing device to access the second node in the public network comprises transmitting the use history and the plurality of inputs to the browser program of the computing device. (par.71 of Baddour, the control servers provide the URLs to the honey miners. Par.72 of Baddour, the control servers control the honey miners which include actual web browsing software which is configured to visit websites according to the provided URLs and access content on the websites via the browser software. Par./73 of Baddour, “the URL 232 may often include various pages from the same web domains, as the miners may have been configured to crawl through the links in the websites.” The URLs are the profile applied to the honey miners and are the inputs. Crawling through the links in the websites means accessing at least a second node via the links). Baddour/Wang/Tal do not teach transmitting the use history to the browser program of the computing device. However, Thioux teaches, in par.425-430 (supports in par.137-143 of provisional application 62315920), that web browser’s cached data (use history of browser program) is modified to decoy user and password associated with URL of a website (par.425). The decoy user and password resemble a real user's credentials. The modified web browser’s cached data is modified to deceived infiltrator who accesses the endpoint’s desktop (par.426). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour/Wang/Tal in view of Thioux to modify the web browser’s cached data for the personality profile, transmit and apply it to the honey miners so that it is harder for the infiltrator/malware to recognize that they are in a decoy client/network.

Regarding claim 7, 15, Baddour/Wang/Tal/Thioux teach wherein the plurality of inputs to the browser program of the computing device comprise at least one of a mouse movement, a scrolling input, a length of viewing of the initial node in the public network, (optional language) or a selected embedded link within the initial node. (Par.73 of Baddour, “the URL 232 may often include various pages from the same web domains, as the miners may have been configured to crawl through the links in the websites.”)

Claims 6, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Baddour et al. (US 20080010683 A1) in view of Tal, Wang and further in view of Cova et al. (“Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code’, 2010)(See IDS, dated 10/3/20).

Regarding claim 6, 14, Baddour/Wang/Tal does not teach adjusting the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network. However, Cova teaches, on page 283, bottom of left column, each time the browser is redirected, reconfiguring (adjusting) the browser with a different personality. The redirection comprises transmission of information between the browser (honey miners) and the websites (second node). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour/Wang/Tal in view of Cova to reconfiguring (adjusting) the personality profile of the browser based on the transmission of information in order to provide countermeasures that would make attack less effective.

Claims 20, is/are rejected under 35 U.S.C. 103 as being unpatentable over Baddour in view of Tal, Wang, Thioux and Cova.
Regarding claim 20, Baddour/Wang/Tal do not teach obtaining a use history of the browser program of the computing device, wherein the personality profile comprises the use history of the browser program. However, Thioux teaches, in par.425-430 (supports in par.137-143 of provisional application 62315920), that web browser’s cached data (use history of browser program) is modified to decoy user and password associated with URL of a website (par.425). The decoy user and password resemble a real user's credentials. The modified web browser’s cached data is modified to deceived infiltrator who accesses the endpoint’s desktop (par.426). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour/Wang in view of Thioux to use web browser's cached data for the personality profile, transmit and apply it to the honey miners so that it is harder for the infiltrator/malware to recognize that they are in a decoy client/network.
Baddour/Wang/Tal/ Thioux does not teach adjusting the personality profile based at least on the analyzed transmission of information between the computing device and the public network during accessing of the second node of the public network. However, Cova teaches, on page 283, bottom of left column, each time the browser is redirected, reconfiguring (adjusting) the browser with a different personality. The redirection comprises transmission of information between the browser (honey miners) and the websites (second node). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour/Wang/Tal/Thioux in view of Cova to reconfiguring (adjusting) the personality profile of the browser based on the transmission of information in order to provide countermeasures that would make attack less effective.

Claims 2, 10, 18, 3, 11, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Baddour in view of Tal, Wang and Porras et al., 20090064332.  
Regarding claims 2, 10, 18, 3, 11, 19 Baddour/Wang/Tal does not teach flagging a network address associated with the information of the malware program as a source of malware programs and preventing the malware program from spreading by sharing the flagged network address
with another computing device, which Porras discloses, (a network address blacklist represents a collection of source Internet Protocol (IP) addresses that have been deemed undesirable, where typically these addresses are associated with an application that has been involved in illicit activities, para 4, generating a blacklist of network addresses by collecting data from the network, identifying attacks by attack sources, assigning the attack sources to the blacklist based on rule that combine the relevance each attack source to the user and the maliciousness of the attack source, and generating the black list of network addresses and then outputting the blacklist .Abstract, para 7, Para 87 for outputting the blacklist network addresses to another device, the blacklist is used by firewall or intrusion/prevention system. para 84). It would have been obvious to one with ordinary skills in the art before the effective filing date of the claimed invention to modify Baddour/Wang/Tal in view of Porras to collect and blacklist network addresses and outputting the black list network addresses to another device. The firewall or intrusion/prevention system would be able to use the black listed network addresses in order to protect/prevent the system from attacks from the associated attack sources, para 84, 7, 87, 4. 

 
 




Conclusion
Pertinent Prior arts:
Following prior arts also disclose limitations, creating malware prevention rules based on the information of the malware program:

HWANG et al., KR 101625338 B1 Abstract
Relates to a the present invention is a system and method for detecting a malicious waypoints, the present invention collects the inspection target based on the URL address of the web site that the user is connected, and from the source code of the web site by applying abnormally and determine whether malicious stopover find new features of the code, using the URL address of the central server of finding malicious stopover synchronize all agents, and anti-intrusion created a blocking rule based on the URL address of a malicious transit system users in to a system to block the malicious traffic waypoint approach.

KR 101587161 B1 KIM et al., 
In other words, the caching unit 20 automatically generates a detection rule for an IP or a URL that provides a malicious file based on the detection result of the detection and blocking unit 50, and registers it in a block list or transmits the rule to another IDPS equipment.

Tong et al., CN 103905421 A 
[0018] as mentioned above, provides a specific embodiment of the present invention based on a URL isomerism of suspicious event detection method and system, it is compared with the traditional method, the method for detecting a plurality of malicious URL is a known malicious URL-based feature extraction based on the feature to scan for the URL, and determines whether the malicious URL. However the detection effect of existing technology depends on the magnitude or speed of updating characteristic base, and there is not detection capability for unknown malicious URL. and the technical solution of the invention uses the communication characteristics of the malicious URL, the monitoring and obtaining request sent by the network data packet and extracting URL based on the detection rules defined in the knowledge base, for detecting and judging whether it is a malicious URL for the URL, for subsequent processing based on the determination result. Because the technical solution of the invention does not depend on the known characteristic, and the use of the knowledge base can be adjusted according the situation needs to be maintained can be inwards of, adding or deleting the detection rule, so the unknown or not capturing the malicious URL has a better detection effect.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado, can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HARESH N PATEL/Primary Examiner, Art Unit 2496