DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on 10/07/2020.
Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on October 07, 2020. The submission is         in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 20 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 20 recites the limitation “the cloud- based system” in line 3. There is insufficient antecedent basis for this limitation in the claim, since it is unclear which system the term is referring to. The examiner suggests to clarify the limitation “the cloud- based system” to rectify the issue.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Qureshi et al. US (2019/0258781 A1) in view of Sharma et al. (US 2016/0154960 A1).

In regards to claim 1, Qureshi discloses a non-transitory computer-readable medium storing computer-executable instructions, and in response to execution by a node in a cloud-based system, the computer-executable instructions cause the node to perform steps of: 
obtaining network traffic associated with mobile applications operating on a user device via a tunnel between the user device and the node (Qureshi, Fig. 25, and paras0196, and 0197, a tunnel mediator 126 b which implements the tunneling encapsulation protocol, and which routes packets sent between the mobile devices 120 and application servers 2500), wherein the tunnel provides the network traffic for various ports and protocols (Qureshi, Para. 0197, When a mobile application writes to this port (by writing to localhost: XXX, where “XXX” is the listened-to port number), the enterprise agent 320, acting at an HTTP proxy for the mobile application, encapsulates and forwards the message, for example, as described above. More specifically, when a mobile application generates an HTTP request that is directed to an application server 2500); 
Qureshi fails to disclose extracting data from the network traffic for each transaction; 
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction; and
 communicating the score to the user device via the tunnel.  
However, Sharma teaches extracting data from the network traffic for each transaction (Sharma, Fig. 3, Para. 0037, at block 402, the RRF system is trained by receiving a data corpus of mobile computer applications, which includes known-malware and known-benign computer applications. At block 404, one or more features are extracted from each of the computer applications, for example, using feature module 210); 
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Sharma, Fig. 7, Para. 0060, (the training module 220 creates a feature vector as discussed below, and performs a Partial Least Square analysis at block 704) and Para. 0064, the model score of the malware applications is 10, and of the benign applications is 0); and
 communicating the score to the user device via the tunnel (Sharma, Fig. 1B, and Para. 0029, the RRF system 50 also incorporates user-defined security guidelines 85. The risk rating for the computer application may be provided in a user interface 75).  
Qureshi and Sharma are both considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include extracting data from the network traffic for each transaction (Sharma, Fig. 3, Para. 0037); 
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Sharma, Fig. 7, Para. 0060, and Para. 0064); and communicating the score to the user device via the tunnel (Sharma, Fig. 1B and Para. 0029).  Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 2, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the data includes any of destination Internet Protocol (IP) address, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, and extra header fields (Qureshi, Para. 0197, a mobile application generates an HTTP request that is directed to an application server 2500).  

In regards to claim 3, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the steps include causing the user device to block the application based on the score (Qureshi, Para. 0429 and 0430, Based on this analysis, a score (e.g., on a scale of 1 to 100) may be generated that represents the level of risk posed by the mobile application. The modification process may be terminated if this score exceeds a threshold).  

In regards to claim 4, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the steps include obtaining feedback from a user of the user device based on the score (Qureshi, Para. 0279, a message delivered via the user interface 304, the remedial action 216 can further include instructions for the agent 320 in the event that the user 115 does not terminate the connection or deactivate the network connection capability); and labeling the data based on the feedback for training data (Qureshi, Para. 0279, a remedial action 216 can cause the agent 320 to lock the mobile device 120 to render it unusable, perhaps until the device disconnects from the unsecured or blacklisted communication network).  

In regards to claim 5, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the steps include updating the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036, the training module 220 also allows for retraining the RRF system to include new threat models and/or user defined security guidelines). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include wherein the steps include updating the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036). Doing so would help to aid the classifiers are machine learning classifiers to learn from a data set and construct a model that aids in evaluating a risk level of computer applications. The classifiers are first trained and tested using an input data set that includes known-malware and known-benign computer applications (Sharma, Para. 0025).

In regards to claim 6, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the tunnel includes a control channel and a data channel, wherein the control channel is utilized by the node to flag a particular application on the user device as malicious for blocking thereof (Qureshi, Para. 0237, The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation), and paras 0280, and 0281, The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation)).  

In regards to claim 7, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the node performs the extracting, the analyzing, and training of the machine learning model (Sharma, Para, 0035, a software-implemented module or a combination of both, which may be configured to analyze mobile computer applications and extract various features from the computer applications), and the user device performs blocking of malicious applications based on communication from the cloud-based system via the tunnel (Sharma, Para, 0085, Both PLS and Bayesian classifiers can detect these malicious mobile computer applications before they are deployed on a user's device).  
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include wherein the node performs the extracting, the analyzing, and training of the machine learning model (Sharma, Para, 0035), and the user device performs blocking of malicious applications based on communication from the cloud-based system via the tunnel (Sharma, Para, 0085). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 8, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the steps include maintaining a list of malicious applications in the cloud-based system based on monitoring a plurality of users; detecting a presence of a malicious application on the user device based on the obtaining network traffic via the tunnel (Qureshi, Para. 0280, a rogue application that has malware or has been determined to collect device data and send the data to a rogue server). The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation)); and communicating the malicious application to the user device via the tunnel (Qureshi, Para. 0281, a corresponding remedial action 216 can cause the agent 320 to producing a message on the user interface 304, the message instructing the user 115 to uninstall the unauthorized software application 318 from the mobile device 120, perhaps within a specified time period).  

In regards to claim 9, the combination of Qureshi and Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the machine learning model is configured to detect a malicious application based on leaking personal data including any of location data, financial data, and contact data (Sharma, Para. 0031, possible concerns that can be addressed or included in the threat model includes leakage of sensitive information and privacy disclosure of personal information (e-mails, call logs, photos, contact lists, browser history logs), sensor information (GPS, accelerometer, audio, microphone, camera, SD card), device metadata (phones ID, system preferences, phone numbers), and user credentials (passwords, account information)). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include wherein the machine learning model is configured to detect a malicious application based on leaking personal data including any of location data, financial data, and contact data (Sharma, Para. 0031). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 10, Qureshi discloses a cloud-based system comprising: a central authority node (Qureshi, Fig. 1A);
 and a plurality of enforcement nodes connected to one another, to the central authority node, and to a plurality of users (Qureshi, Fig. 1A);
 wherein an enforcement node is configured to 
 obtain network traffic associated with mobile applications operating on a user device via a tunnel between the user device and the node (Qureshi, Fig. 25, and paras0196, and 0197, a tunnel mediator 126 b which implements the tunneling encapsulation protocol, and which routes packets sent between the mobile devices 120 and application servers 2500), 
wherein the tunnel provides the network traffic for various ports and protocols (Qureshi, Para. 0197, When a mobile application writes to this port (by writing to localhost: XXX, where “XXX” is the listened-to port number), the enterprise agent 320, acting at an HTTP proxy for the mobile application, encapsulates and forwards the message, for example, as described above. More specifically, when a mobile application generates an HTTP request that is directed to an application server 2500), 
Qureshi fails to disclose extract data from the network traffic for each transaction, 
analyze the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction, and 
communicate the score to the user device via the tunnel. 
However, Sharma teaches extract data from the network traffic for each transaction (Sharma, Fig. 3, Para. 0037, at block 402, the RRF system is trained by receiving a data corpus of mobile computer applications, which includes known-malware and known-benign computer applications. At block 404, one or more features are extracted from each of the computer applications, for example, using feature module 210), 
analyze the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Sharma, Fig. 7, Para. 0060, (the training module 220 creates a feature vector as discussed below, and performs a Partial Least Square analysis at block 704) and Para. 0064, the model score of the malware applications is 10, and of the benign applications is 0), and 
communicate the score to the user device via the tunnel (Sharma, Fig. 1B, and Para. 0029, the RRF system 50 also incorporates user-defined security guidelines 85. The risk rating for the computer application may be provided in a user interface 75). 
Qureshi and Sharma are both considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include extract data from the network traffic for each transaction (Sharma, Fig. 3, Para. 0037), 
analyze the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Sharma, Fig. 7, Para. 0060), and communicate the score to the user device via the tunnel (Sharma, Fig. 1B, and Para. 0029).  Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 11, the combination of Qureshi and Sharma teaches the cloud-based system of claim 10, wherein the data includes any of destination Internet Protocol (IP) address, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, and extra header fields (Qureshi, Para. 0197, a mobile application generates an HTTP request that is directed to an application server 2500).    

In regards to claim 12, the combination of Qureshi and Sharma teaches the cloud-based system of claim 10, wherein the enforcement node is configured to cause the user device to block the application based on the score (Qureshi, Para. 0429 and 0430, Based on this analysis, a score (e.g., on a scale of 1 to 100) may be generated that represents the level of risk posed by the mobile application. The modification process may be terminated if this score exceeds a threshold).   

In regards to claim 13, the combination of Qureshi and Sharma teaches the cloud-based system of claim 10, wherein the enforcement node is configured to obtain feedback from a user of the user device based on the score (Qureshi, Para. 0279, a message delivered via the user interface 304, the remedial action 216 can further include instructions for the agent 320 in the event that the user 115 does not terminate the connection or deactivate the network connection capability); and label the data based on the feedback for training data (Qureshi, Para. 0279, a remedial action 216 can cause the agent 320 to lock the mobile device 120 to render it unusable, perhaps until the device disconnects from the unsecured or blacklisted communication network).  

In regards to claim 14, the combination of Qureshi and Sharma teaches the cloud-based system of claim 10, wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036, the training module 220 also allows for retraining the RRF system to include new threat models and/or user defined security guidelines). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036). Doing so would help to aid Doing so would help to aid the classifiers are machine learning classifiers to learn from a data set and construct a model that aids in evaluating a risk level of computer applications. The classifiers are first trained and tested using an input data set that includes known-malware and known-benign computer applications (Sharma, Para. 0025).

In regards to claim 15, the combination of Qureshi and Sharma teaches the cloud-based system of claim 10, wherein the tunnel includes a control channel and a data channel, wherein the control channel is utilized by the node to flag a particular application on the user device as malicious for blocking thereof (Qureshi, Para. 0237, The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation), and paras 0280, and 0281, The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation)).  

In regards to claim 16, the combination of Qureshi and Sharma teaches the cloud-based system of claim 10, wherein the steps include maintaining a list of malicious applications in the cloud-based system based on monitoring a plurality of users; detecting a presence of a malicious application on the user device based on the obtaining network traffic via the tunnel (Qureshi, Para. 0280, a rogue application that has malware or has been determined to collect device data and send the data to a rogue server). The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation)); and communicating the malicious application to the user device via the tunnel (Qureshi, Para. 0281, a corresponding remedial action 216 can cause the agent 320 to producing a message on the user interface 304, the message instructing the user 115 to uninstall the unauthorized software application 318 from the mobile device 120, perhaps within a specified time period).  

In regards to claim 17, Qureshi discloses a method comprising: 
obtaining network traffic associated with mobile applications operating on a user device via a tunnel between the user device and the node (Qureshi, Fig. 25, and paras0196, and 0197, a tunnel mediator 126 b which implements the tunneling encapsulation protocol, and which routes packets sent between the mobile devices 120 and application servers 2500), wherein the tunnel provides the network traffic for various ports and protocols (Qureshi, Para. 0197, When a mobile application writes to this port (by writing to localhost: XXX, where “XXX” is the listened-to port number), the enterprise agent 320, acting at an HTTP proxy for the mobile application, encapsulates and forwards the message, for example, as described above. More specifically, when a mobile application generates an HTTP request that is directed to an application server 2500); 
Qureshi fails to disclose extracting data from the network traffic for each transaction; 
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction; and 
communicating the score to the user device via the tunnel. 
However, Sharma teaches extracting data from the network traffic for each transaction (Sharma, Fig. 3, Para. 0037, at block 402, the RRF system is trained by receiving a data corpus of mobile computer applications, which includes known-malware and known-benign computer applications. At block 404, one or more features are extracted from each of the computer applications, for example, using feature module 210); 
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Sharma, Fig. 7, Para. 0060, (the training module 220 creates a feature vector as discussed below, and performs a Partial Least Square analysis at block 704) and Para. 0064, the model score of the malware applications is 10, and of the benign applications is 0); and 
communicating the score to the user device via the tunnel (Sharma, Fig. 1B, and Para. 0029, the RRF system 50 also incorporates user-defined security guidelines 85. The risk rating for the computer application may be provided in a user interface 75). Qureshi and Sharma are both considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include extracting data from the network traffic for each transaction (Sharma, Fig. 3, Para. 0037); analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Sharma, Fig. 7, Para. 0060 vand Para. 0064); and 
communicating the score to the user device via the tunnel (Sharma, Fig. 1B, and Para. 0029).  Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 18, the combination of Qureshi and Sharma teaches the method of claim 17, wherein the data includes any of destination Internet Protocol (IP) address, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, and extra header fields (Qureshi, Para. 0197, a mobile application generates an HTTP request that is directed to an application server 2500).    

In regards to claim 19, the combination of Qureshi and Sharma teaches the method of claim 17, comprising obtaining feedback from a user of the user device based on the score (Qureshi, Para. 0279, a message delivered via the user interface 304, the remedial action 216 can further include instructions for the agent 320 in the event that the user 115 does not terminate the connection or deactivate the network connection capability); and labeling the data based on the feedback for training data (Qureshi, Para. 0279, a remedial action 216 can cause the agent 320 to lock the mobile device 120 to render it unusable, perhaps until the device disconnects from the unsecured or blacklisted communication network).   

In regards to claim 20, the combination of Qureshi and Sharma teaches the method of claim 17, comprising updating the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036, the training module 220 also allows for retraining the RRF system to include new threat models and/or user defined security guidelines). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Sharma to include wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036). Doing so would help to aid the classifiers are machine learning classifiers to learn from a data set and construct a model that aids in evaluating a risk level of computer applications. The classifiers are first trained and tested using an input data set that includes known-malware and known-benign computer applications (Sharma, Para. 0025).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Verma et al. (US 11,323,486 B2) teaches a Methods and systems for enhanced security for CloT in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496