Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/165,474 is presented for examination by the examiner.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 3, 5, 21, and 23 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 

As per claims 3 and 21, the use of the word ‘can’ renders the claim indefinite. The scope of the claim is not clear because the claim is directed to a possibility not a certainty.  Moreover, the use of ‘can’ raises the issue as to whether or not the limitations appearing after ‘can’, have patentable weight.  
As per claims 5 and 23, the exploit lacks antecedent basis.
Appropriate correction is required.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-7 and 20-29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP Application Publication 2013/0036472 (Aziz).

As per claims 1, 6, and 7, Aziz teaches receiving an exploit script at a host device (controller 725) (0171 and 0175), wherein the exploit script configures a sample generator (replayer 805) at the host device [policy makes 805 replay the suspicious data; 0171 and 0176] to attempt unauthorized access to the target computing device (VM 815) (0178 and 0184); 
generating traffic, based on the exploit script, between the sample generator and the target computing device (0171 and 0176); 
collecting a plurality of samples [flagged data] of the generated traffic [the captured network data captured is a sampling of the simulated data which includes modified streams; (0165, 0173, and 0179) and 
storing the plurality of samples in a storage device, wherein the storage device is accessible by the host device (0163).
As per claims 2 and 20, Aziz teaches each sample in the plurality of samples further comprises at least one distinct portion from remaining samples in the plurality of samples [flagged data (suspicious) from the stream of data captured; 0162].
As per claims 3 and 21, Aziz teaches  each sample in the plurality of samples can further comprise invariant portions [non-variable portion] and variable portions [session variable part], wherein the invariant portions have identical values for different generations of the exploit script and the variable portions have unique values for different generations of the exploit script [multiples session of simulated streams can be generated from multiple replayers 805 and each sessions has its own dynamic variables subsitutions; 0175].
As per claims 4 and 22, Aziz teaches the generated traffic occurs via a separate and private network between the host device and the target computing device (environment 750; 0175).
As per claims 5 and 23, Aziz teaches determining at least one characteristic of the exploit from the collected plurality of samples to detect the exploit (0160).
As per claims 24 and 27, Aziz teaches the storage device stores harvested samples from at least one of logs, direct observation or an anomaly detection system of a legacy computer system. (0159)
As per claims 25 and 28, Aziz teaches the harvested samples are labeled with a class of exploits [type of malware/virus/worm/attacker; 0179 and 0187].
As per claims 26 and 29, Aziz teaches the host device transfers the plurality of samples to a legacy computer security system (copy flagged data to 730/750 for offline analysis; 0179).  Examiner’s note: specification does not provide specific definition for “legacy” in paragraph 0050.  


Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
USP Application Publication  2008/0022405 teaches creating instruction flow graphs as part of a process to block buffer overflow attacks.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431