Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 17/015,977 filed on 09/09/2020. Claims 1-21 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 9/9/2020, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: module in claims 5 and 17.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 13-15 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mohanta et al. (US 20200267170) in view of Lentczner et al. (US 2017/0063682).

	As per claim 13, Mohanta teaches a network malicious behavior detection method, which is implemented by a networking system having a path control module, a packet characteristic checking module, and a packet behavior analysis module, the method including: using the packet characteristic checking module to check each piece of the network packet to determine whether a protocol payload contained therein matches an element in a predetermined protocol payload set, mark each piece of the network packet corresponding to the check result as a suspicious network packet if the check result is true (Mohanta, Paragraph 0052 recites “ In various embodiments, collected network data may be initially identified as suspicious until determined otherwise (e.g., associated with a whitelist) or until heuristics find no reason that the network data should be flagged as suspicious. In some embodiments, the data flagging module 418 may perform packet analysis to look for suspicious characteristics in the header, footer, destination IP, origin IP, payload, and the like. Those skilled in the art will appreciate that the data flagging module 418 may perform a heuristic analysis, a statistical analysis, and/or signature identification to determine if the collected network data is suspicious. Signature identification may involve searching for known patterns of suspicious data within the collected data's code.”), 
	and drive a path control module to transfer each piece of the network packet corresponding to the check result to a target device if the check result is false (Mohanta, Paragraph 0048 recites “For example, if data is directed between two known and trustworthy sources (e.g., the data is communicated between two devices on a whitelist), the data collector may not collect the data.” This is being interpreted that the packet has tested false and is allowed to go to its intended target).
	But fails to teach using the packet behavior analysis module to perform a malicious behavior checking process on at least one piece of the suspicious network packet, drive the path control module to block a transfer of at least one piece of the suspicious network packet corresponding to the check result to the target device if the check result is true, and drive the path control module to enable a transfer of at least one piece of the suspicious network packet corresponding to the check result to the target device if the check result is false.
	However, in an analogous art Lentczner teaches using the packet behavior analysis module to perform a malicious behavior checking process on at least one piece of the suspicious network packet, drive the path control module to block a transfer of at least one piece of the suspicious network packet corresponding to the check result to the target device if the check result is true, and drive the path control module to enable a transfer of at least one piece of the suspicious network packet corresponding to the check result to the target device if the check result is false (Lentczner, Paragraph 0030 recites “In some implementations, network functions are unidirectional. That is, the function only need be carried out when a packet enters the network from a foreign network (such as the Internet) but not when a packet leaves the network, or vice versa. An example of such a network function is an access control list (ACL) function. The ACL function filters out packets by comparing information in the packet to an access control list (such as a black list of source IP addresses, or header tuples) to enforce security policies, e.g., to filter out packets known to come from spoofed IP addresses or having known signatures associated with packets associated malicious behavior. In some other implementations, the ACL function can also be applied to packets exiting the network, for example, to prevent unauthorized leakage of sensitive information by blocking packets originating from IP addresses of certain identified devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lentczner’s systems and methods for externalizing network functions via packet trunking with Mohanta’s system and method for detecting and classifying malware because the use of adding a packet behavior inspection is an added layer of security to prevent unauthorized accesses to the network.

	As per claim 14, Mohantas in combination with Lentczner teaches the network malicious behavior detection method as disclosed in claim 13, Lentczner further teaches wherein the predetermined protocol payload set includes an ARP payload, an ICMP payload, a TCP payload with a SYN being 1, and a UDP payload with a destination network address containing a port number of 53 (Lentczner, Paragraph 0059 recites “FIG. 6A shows a typical packet header for an IPv6 packet. A typical packet includes layer 2 data link layer (e.g., Ethernet) header fields, layer 3 network layer (e.g., IPv4 or IPv6) header fields, and layer 4 transport layer (e.g., TCP) header fields. FIG. 6A highlights the location of the destination MAC address field 602 in a typical IPv6 packet.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lentczner’s systems and methods for externalizing network functions via packet trunking with Mohanta’s system and method for detecting and classifying malware because the use of adding a packet behavior inspection is an added layer of security to prevent unauthorized accesses to the network.

	As per claim 15, Mohantas in combination with Lentczner teaches the network malicious behavior detection method as disclosed in claim 13, Lentczner further teaches wherein the malicious behavior includes a trait selected from a group consisting of a plurality of the suspicious network packets with a same source address but different destination addresses appear within a predetermined period of time, a plurality of the suspicious network packets with a same source address, a same destination address but different port addresses appear within a predetermined period of time, a piece of the suspicious network packet having a source address in a blacklist, a piece of the suspicious network packet having a source address not found in a whitelist, a plurality of the suspicious network packets issued from a network device requesting a plurality of non-existing domain names within a predetermined period of time, a plurality of the suspicious network packets issued from a network device requesting at least one non-existing domain name in every day of a plurality of consecutive days, and a plurality of the suspicious network packets issued from a plurality of network devices requesting at least one same non-existing domain name (Lentczner, Paragraph 0030 recites “In some implementations, network functions are unidirectional. That is, the function only need be carried out when a packet enters the network from a foreign network (such as the Internet) but not when a packet leaves the network, or vice versa. An example of such a network function is an access control list (ACL) function. The ACL function filters out packets by comparing information in the packet to an access control list (such as a black list of source IP addresses, or header tuples) to enforce security policies, e.g., to filter out packets known to come from spoofed IP addresses or having known signatures associated with packets associated malicious behavior. In some other implementations, the ACL function can also be applied to packets exiting the network, for example, to prevent unauthorized leakage of sensitive information by blocking packets originating from IP addresses of certain identified devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lentczner’s systems and methods for externalizing network functions via packet trunking with Mohanta’s system and method for detecting and classifying malware because the use of adding a packet behavior inspection is an added layer of security to prevent unauthorized accesses to the network.

	Regarding claim 17, claim 17 is directed to a similar system associated with the method of claim 13 respectively. Claim 17 is similar in scope to claim 13, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 18, claim 18 is directed to a similar system associated with the method of claim 14 respectively. Claim 18 is similar in scope to claim 14, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 19, claim 19 is directed to a similar system associated with the method of claim 15 respectively. Claim 19 is similar in scope to claim 15, respectively, and are therefore rejected under similar rationale. 

	As per claim 20, Mohantas in combination with Lentczner teaches the networking system as disclosed in claim 17, Lentczner further teaches wherein the blacklist includes a network address or a domain name of a command-and-control server associated with a malware (Lentczner, Paragraph 0030 recites “In some implementations, network functions are unidirectional. That is, the function only need be carried out when a packet enters the network from a foreign network (such as the Internet) but not when a packet leaves the network, or vice versa. An example of such a network function is an access control list (ACL) function. The ACL function filters out packets by comparing information in the packet to an access control list (such as a black list of source IP addresses, or header tuples) to enforce security policies, e.g., to filter out packets known to come from spoofed IP addresses or having known signatures associated with packets associated malicious behavior. In some other implementations, the ACL function can also be applied to packets exiting the network, for example, to prevent unauthorized leakage of sensitive information by blocking packets originating from IP addresses of certain identified devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lentczner’s systems and methods for externalizing network functions via packet trunking with Mohanta’s system and method for detecting and classifying malware because the use of adding a packet behavior inspection is an added layer of security to prevent unauthorized accesses to the network.

Claims 16 and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mohanta et al. (US 20200267170) and Lentczner et al. (US 2017/0063682) and in further view of Turner et al. (US 7,251,215)

	As per claim 16, Mohantas in combination with Lentczner teaches the network malicious behavior detection method as disclosed in claim 13, but fails to teach using a traffic flow detection module to let all the network packets be put into the packet behavior analysis module to undergo the malicious behavior checking process when a detected traffic flow of the network packets is lower than a threshold; or using the packet characteristic checking module to execute a flow detection process to obtain a traffic flow value of the network packets, and let each piece of the network packet be put into the packet behavior analysis module to undergo the malicious behavior checking process when the traffic flow value is lower than a threshold.
	However, in an analogous art Turner teaches using a traffic flow detection module to let all the network packets be put into the packet behavior analysis module to undergo the malicious behavior checking process when a detected traffic flow of the network packets is lower than a threshold; or using the packet characteristic checking module to execute a flow detection process to obtain a traffic flow value of the network packets, and let each piece of the network packet be put into the packet behavior analysis module to undergo the malicious behavior checking process when the traffic flow value is lower than a threshold (Turner, Claim 1 recites “1. A method comprising: receiving packets from a network via an interface card of a network device; calculating, with the network device, flow statistics for the packets; identifying, with the network device, a set of packet flows for the received packets based on the flow statistics; determining, with the network device, whether a traffic level for each of the packet flows of the received packets exceeds a threshold to identify suspicious packet flows; when the traffic level for one of the packet flows exceeds the threshold, intercepting the packets associated with the identified suspicious packet flows and directing the intercepted packets of the suspicious packet flows to a packet analysis module within the network device; analyzing, with the packet analysis module, contents of the intercepted packets of the suspicious packet flows to determine the presence of a network attack; updating routing information within the network device based on a result of the determination; and routing the packets with the network device in accordance with the routing information.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Tuner’s  Adaptive Network Router with Mohanta’s system and method for detecting and classifying malware because the use of adding a flow  inspection is an added layer of security to prevent unauthorized accesses to the network.

	Regarding claim 21, claim 21 is directed to a similar system associated with the method of claim 16 respectively. Claim 21 is similar in scope to claim 16, respectively, and are therefore rejected under similar rationale. 


Allowable Subject Matter
Claims 1-12 are allowed.
The following is an examiner’s statement of reasons for allowance:
The current invention is directed to a network malicious behavior detection method, including: checking each piece of network packet to determine whether a protocol payload contained therein matches an element in a predetermined protocol payload set, marking each piece of the network packet as a suspicious network packet if the check result is true, and transferring each piece of the network packet to a target device if the check result is false; and performing a malicious behavior checking process on at least one piece of the suspicious network packet, blocking the transfer of at least one piece of the suspicious network packet to the target device if the check result is true, and enabling the transfer of at least one piece of the suspicious network packet to the target device if the check result is false.
	A search was conducted by Examiner and the closest prior art of Mohanta et al. (US 20200267170) in view Lentczner et al. (US 2017/0063682) and Turner et al. (US 7,251,215) fails to disclose, teach or even suggest “using the packet characteristic extraction module to get data in at least one layer of each piece of network packet to generate a characteristic data segment for each piece of the network packet, the layer being selected from a group consisting of the network layer, the transmission layer and the data link layer; using the packet characteristic checking module to check each piece of the characteristic data segment to determine whether a protocol payload contained therein matches an element in a predetermined protocol payload set, if the check result is true, drive the mirroring module to generate a mirror packet according to a piece of the network packet corresponding to the check result, and if the check result is false, drive the path control module to enable a piece of the network packet corresponding to the check result to be transferred to a target device; and using the packet behavior analysis module to perform a malicious behavior detecting process on at least one piece of the mirror packet, if the check result is true.”
	The closest prior art is able to teaches the network detection of malicious via network packets.  Specifically, it teaches methods which include looking and payloads of a packet and determining if a payload malicious.  It further looks at packet behavior to determine if a packet is malicious or not.  What the references above fail to teach, is the specific implementation and use using data to generate characteristic of data based on a selected network layer and mirror packets.  While on their own these limitations are taught by prior art, it is how Applicant’s specific implementation, as recited in their claim language, is not taught by conventional means.  Conventional means would look a network packets behavior to determine maliciousness. In rare occasions a mirror packet might be used if a packet is not known to be malicious, as tested again for maliciousness, but not how Applicant is implementing it.  Further, the instant application is performing packet inspection based on a selected network layer.  This is not something that is taught by conventional means.  Typical packet inspection is done without bias to different layers.  As a result the claims are in condition for Allowance.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439