Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on April 14, 2021 has been considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 10 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 1 and 6 respectively of U.S. Patent No. 9,860,259. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 12 are generic to corresponding limitations of claims 1, 1 and 6 respectively and therefore claims 1, 10 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 1 and 6 respectively of U.S. Patent No. 9,860,259.
Current Application No.: 17/174,182
US Pat. No.: 9,860,259
1. A method for scanning computer data, the method comprising: scanning a first out of order portion of a dataset from an input state associated with malware, wherein the first out of order portion is sent to a destination after the scanning; generating a pattern that identifies the malware as a result of the scanning the first out of order portion generating an output state by scanning a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset; identifying that the dataset includes the set of malware based on matching of the input and output state; and blocking the second out of order portion of the dataset from being sent to the destination based on the identification that the dataset includes the malware
1. A method for deep packet inspection scanning, the method comprising: receiving a first portion of a data set at an application layer of a computer system in an out of order sequence; identifying a first input state associated with the data set, wherein the first input state includes a portion of information included in a piece of malicious content identified by a rule; scanning with the DPI scanner the first portion of the received data set at the application layer from at least the first input state; generating a first output state based on the scan of the first portion, wherein the first output state corresponds to the malicious content; identifying that a second portion of the data set follows the first portion of the data set; scanning with the DPI scanner the second portion of the data set from the first output state; generating a second output state based on the scan of the second portion; identifying that a third portion of the data set precedes the first portion of the data set; scanning the third portion of the data set from the first input state; generating a third output state based on the scan of the third portion; identifying that the third output state corresponds to the first input state; and indicating that the data set contains the malicious content, wherein the first input state, the first output state, and the second output state corresponds to the rule.
10. A method for identifying malicious program code, the method comprising: storing a state mapping in memory, wherein the state mapping associates a first group of characters with a first state and a second group of characters with a second state; identifying that a first portion of the dataset includes the second group of characters based on scanning the first portion of a dataset from the first state; comparing the first state with an output state that was generated when a second portion of the dataset was scanned; identifying that the dataset includes the set of malware based on the output state matching the first state; and blocking data from being sent to a destination based on the identification that the dataset includes the set of malware.
1. A method for deep packet inspection scanning, the method comprising: receiving a first portion of a data set at an application layer of a computer system in an out of order sequence; identifying a first input state associated with the data set, wherein the first input state includes a portion of information included in a piece of malicious content identified by a rule; scanning with the DPI scanner the first portion of the received data set at the application layer from at least the first input state; generating a first output state based on the scan of the first portion, wherein the first output state corresponds to the malicious content; identifying that a second portion of the data set follows the first portion of the data set; scanning with the DPI scanner the second portion of the data set from the first output state; generating a second output state based on the scan of the second portion; identifying that a third portion of the data set precedes the first portion of the data set; scanning the third portion of the data set from the first input state; generating a third output state based on the scan of the third portion; identifying that the third output state corresponds to the first input state; and indicating that the data set contains the malicious content, wherein the first input state, the first output state, and the second output state corresponds to the rule.
12. A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor for implementing a method for scanning computer data, the method comprising: scanning a first out of order portion of a dataset from an input state associated with malware, wherein the first out of order portion is sent to a destination after the scanning; generating a pattern that identifies the malware as a result of the scanning the first out of order portion generating an output state by scanning a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset; identifying that the dataset includes the set of malware based on matching of the input and output state; and blocking the second out of order portion of the dataset from being sent to the destination based on the identification that the dataset includes the malware.
6. A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor to perform a method for deep packet inspection scanning, the method comprising: receiving a first portion of a data set at an application layer of a computer system in an out of order sequence; identifying a first input state associated with the data set, wherein the first input state includes a portion of information included in a piece of malicious content identified by a rule; scanning with the DPI scanner the first portion of the received data set at the application layer from at least the first input state; generating a first output state based on the scan of the first portion, wherein the first output state corresponds to the malicious content; identifying that a second portion of the data set follows the first portion of the data set; scanning with the DPI scanner the second portion of the data set from the first output state; generating a second output state based on the scan of the second portion; identifying that a third portion of the data set precedes the first portion of the data set; scanning the third portion of the data set from the first input state; generating a third output state based on the scan of the third portion; identifying that the third output state corresponds to the first input state; and indicating that the data set contains the malicious content, wherein the first input state, the first output state, and the second output state corresponds to the rule.



Claims 1, 10 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 1 and 13 respectively of U.S. Patent No. 10,630,697. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 12 are generic to corresponding limitations of claims 1, 1 and 13 respectively and therefore claims 1, 10 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 1 and 13 respectively of U.S. Patent No. 10,630,697.
Current Application No.: 17/174,182
US Pat. No.: 10,630,697
1. A method for scanning computer data, the method comprising: scanning a first out of order portion of a dataset from an input state associated with malware, wherein the first out of order portion is sent to a destination after the scanning; generating a pattern that identifies the malware as a result of the scanning the first out of order portion generating an output state by scanning a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset; identifying that the dataset includes the set of malware based on matching of the input and output state; and blocking the second out of order portion of the dataset from being sent to the destination based on the identification that the dataset includes the malware
1. A method for deep packet inspection scanning, the method comprising: receiving a first portion of a data set at an application layer of a computer system in an out-of-order sequence via a computer network; scanning by a processor executing instructions out of a memory the first portion of the received out-of-order data set at the application layer from at least a first input state of a plurality of input states, wherein the first input state includes a portion of information included in a piece of malicious content; identifying by the processor executing the instructions out of the memory that the data set includes a pattern indicative of the malicious content after the first portion of the received data set has been scanned from the first input state; scanning a plurality of different portions of a second data set from the plurality of input states; and identifying that the second data set includes the malicious content based on an evaluation of a chain of states associated with at least some of the plurality of input states and with an output state of the scan.
10. A method for identifying malicious program code, the method comprising: storing a state mapping in memory, wherein the state mapping associates a first group of characters with a first state and a second group of characters with a second state; identifying that a first portion of the dataset includes the second group of characters based on scanning the first portion of a dataset from the first state; comparing the first state with an output state that was generated when a second portion of the dataset was scanned; identifying that the dataset includes the set of malware based on the output state matching the first state; and blocking data from being sent to a destination based on the identification that the dataset includes the set of malware.
1. A method for deep packet inspection scanning, the method comprising: receiving a first portion of a data set at an application layer of a computer system in an out-of-order sequence via a computer network; scanning by a processor executing instructions out of a memory the first portion of the received out-of-order data set at the application layer from at least a first input state of a plurality of input states, wherein the first input state includes a portion of information included in a piece of malicious content; identifying by the processor executing the instructions out of the memory that the data set includes a pattern indicative of the malicious content after the first portion of the received data set has been scanned from the first input state; scanning a plurality of different portions of a second data set from the plurality of input states; and identifying that the second data set includes the malicious content based on an evaluation of a chain of states associated with at least some of the plurality of input states and with an output state of the scan.
12. A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor for implementing a method for scanning computer data, the method comprising: scanning a first out of order portion of a dataset from an input state associated with malware, wherein the first out of order portion is sent to a destination after the scanning; generating a pattern that identifies the malware as a result of the scanning the first out of order portion generating an output state by scanning a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset; identifying that the dataset includes the set of malware based on matching of the input and output state; and blocking the second out of order portion of the dataset from being sent to the destination based on the identification that the dataset includes the malware.
13. A system for sharing computer data, the system comprising: a peer to peer (P2P) computer network comprising a plurality of network communication channels; and a first computing device communicatively coupled to a plurality of other computing devices in the P2P computer network by way of one or more of the communication channels, wherein the first computing device: receives a plurality of different portions of a data set from a second and third computing device in the P2P computer network, wherein at least one of the plurality of different portions of the data set are received out-of-order, performs an out-of-order scan of a first portion of the data set from a plurality of input states, scans a second portion of the data set from the plurality of input states, identifies that the data set includes malicious content based on the scanning of at least the first and second portions of the data set, blocks additional portions of the data set from being received based on the identification of the malicious content being included in the data set; scans a plurality of different portions of a second data set from the plurality of input states; and identifies that the second data set does not include the malicious content based on an evaluation of a chain of states associated with at least some of the plurality of input states and with an output state of the scan.



Claims 1, 10 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 1 and 8 respectively of U.S. Patent No. 11,005,858. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 12 are generic to corresponding limitations of claims 1, 1 and 8 respectively and therefore claims 1, 10 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 1 and 8 respectively of U.S. Patent No. 11,005,858.
Current Application No.: 17/174,182
US Pat. No.: 11,005,858
1. A method for scanning computer data, the method comprising: scanning a first out of order portion of a dataset from an input state associated with malware, wherein the first out of order portion is sent to a destination after the scanning; generating a pattern that identifies the malware as a result of the scanning the first out of order portion generating an output state by scanning a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset; identifying that the dataset includes the set of malware based on matching of the input and output state; and blocking the second out of order portion of the dataset from being sent to the destination based on the identification that the dataset includes the malware
1. A method for scanning computer data, the method comprising: scanning at an application layer in a peer-to-peer network an out of order first portion of a dataset from an input state associated with a portion of a set of malware, wherein the out of order first portion of the dataset is sent to a destination after the scanning of the out of order first portion of the dataset and the scanning occurs by a processor executing instructions out of a memory; identifying by the processor executing the instructions out of the memory that the dataset includes the portion of the set of malware based on the scanning of the out of order first portion of the dataset from the state associated with the portion of the set of malware; scanning at the application layer in the peer-to-peer network a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset, the scanning of the second out of order portion of the dataset resulting in generation of an output state that matches the input state, wherein the scanning of the second out of order portion of the dataset also occurs by the processor executing the instructions out of the memory; and blocking by the processor executing the instructions out of the memory the second portion of the out of order dataset from being sent to the destination based on the output state matching the input state and an identification that the dataset includes the set of malware.
10. A method for identifying malicious program code, the method comprising: storing a state mapping in memory, wherein the state mapping associates a first group of characters with a first state and a second group of characters with a second state; identifying that a first portion of the dataset includes the second group of characters based on scanning the first portion of a dataset from the first state; comparing the first state with an output state that was generated when a second portion of the dataset was scanned; identifying that the dataset includes the set of malware based on the output state matching the first state; and blocking data from being sent to a destination based on the identification that the dataset includes the set of malware.
1. A method for scanning computer data, the method comprising: scanning at an application layer in a peer-to-peer network an out of order first portion of a dataset from an input state associated with a portion of a set of malware, wherein the out of order first portion of the dataset is sent to a destination after the scanning of the out of order first portion of the dataset and the scanning occurs by a processor executing instructions out of a memory; identifying by the processor executing the instructions out of the memory that the dataset includes the portion of the set of malware based on the scanning of the out of order first portion of the dataset from the state associated with the portion of the set of malware; scanning at the application layer in the peer-to-peer network a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset, the scanning of the second out of order portion of the dataset resulting in generation of an output state that matches the input state, wherein the scanning of the second out of order portion of the dataset also occurs by the processor executing the instructions out of the memory; and blocking by the processor executing the instructions out of the memory the second portion of the out of order dataset from being sent to the destination based on the output state matching the input state and an identification that the dataset includes the set of malware.
12. A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor for implementing a method for scanning computer data, the method comprising: scanning a first out of order portion of a dataset from an input state associated with malware, wherein the first out of order portion is sent to a destination after the scanning; generating a pattern that identifies the malware as a result of the scanning the first out of order portion generating an output state by scanning a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset; identifying that the dataset includes the set of malware based on matching of the input and output state; and blocking the second out of order portion of the dataset from being sent to the destination based on the identification that the dataset includes the malware.
8. A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor to implement a method for scanning computer data, the method comprising the processor executing instructions of the program out of a memory to: scan at an application layer in a peer-to-peer network an out of order first portion of a dataset from an input state associated with a portion of a set of malware, wherein the out of order first portion of the dataset is sent to a destination after the scanning of the out of order first portion of the dataset; identify that the dataset includes the portion of the set of malware based on the scanning of the out of order first portion of the dataset from the state associated with the portion of the set of malware; scan at the application layer in the peer-to-peer network a second out of order portion of the dataset that immediately precedes the first out of order portion of the dataset, the scanning of the second out of order portion of the dataset resulting in a generation of an output state that matches the input state; and block the second portion of the out of order dataset from being sent to the destination based on the output state matching the input state and an identification that the dataset includes the set of malware.




Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-11 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the set of malware" in line 5.
Claim 10 recites the limitation "the dataset" in lines 5, 8 and 9.
Claim 10 recites the limitation "the set of malware" in lines 9 and 12.
Claim 10 recites the limitation “an output state that was generated” in line 7. No output state was generated previously.
Claim 10 recites the limitation “the dataset was scanned” in line 8. No dataset was scanned previously.
There are insufficient antecedent basis for these limitations in the claims.

Claim 3 line 1, recites the limitation “wherein of the state mapping” and it is unclear what the applicant intended to recite or define in association with “of the state mapping” and therefore rendering claim 3 ambiguous and indefinite. 

Claim 20 recites “The non-transitory computer-readable storage medium of claim 1, the program further executable to store a plurality of state mappings in memory, wherein each of the plurality of state mappings correspond to a respective set of malicious program code”. Claim 20 errored by reciting dependency from claim 1 instead of its respective claim 12 and raising issues and ambiguity on the recited limitations and therefore, claim 20 is rendered indefinite.

Claims 2-9 and 11 failed to remedy the deficiencies of their respective independent claims and therefore rejected as indefinite under 35 U.S.C. 112(b) second paragraph.
Based on the above statements, claims 1-11 and 20 are rejected under 35 U.S.C. 112(b)second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.

Allowable Subject Matter
After consideration of the applicant’s correspondence filed on February 11, 2021, through examination of the claims 1-20 and search, the prior arts of record cited in PTO-892, either taken alone or in combination neither anticipates nor renders obvious the subject matter of claims 1 10 and 12 when taken together as a whole and claims 1, 10 and 12 would be allowable provided that all the above outstanding rejections and objection are overcome.
The allowable subject matter over prior arts of record in the current claimed invention provides a method and system for data blocks that are received in out of order at an application layer in a peer to peer network which are scanned for malicious content without re-ordering and reassembling those data blocks. Each of the received data blocks are scanned in a manner where each data block scanned has identified input states and output states. The identified input states include a state for each and every possible state that might be associated with malicious content. The identified input states include one or more characters in a sequence of characters that match content known to be associated with malicious content. In the series of identified input states, packets are also scanned in an out of order for malicious content by comparing the output states with the identified input states that may be included in a data block that has not yet been received.

The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.
Dubrovsky US. Pat. No: 8813221) discloses an Intrusion Detection/Prevention System (IPS) that typically resides between two ends of TCP communication, inspecting packets as the packets arrive at the IPS. The IPS looks for predetermined patterns in payloads of the packets. The patterns are typically application layer patterns. For example, the pattern might be to look for the word "windows." However, the word may be broken into two TCP segments, e.g., "win" in one segment and "dows" in another segment. If these two segments arrive in the correct order, then IPS can detect the word. However, if the segments arrive out of order, which happens relatively often, then the IPS may first receive the segment containing "dows", and have to hold this segment and wait for the other segment. A typical approach is for the IPS to force a sender to re-transmit all the segments from the last missing one, hoping that the segments may arrive in order the second time. The disadvantage of this approach is the additional traffic in between and the additional processing on both ends of the TCP communication. The incoming packets are scanned without buffering the file for reassembly because the packets can be inspected for the predetermined pattern without being reassembled into the file. This technique allows the set of processing cores to scan incoming packets substantially concurrently and therefore, the speed of the scanning may be improved over conventional approaches. However, the above discloses features in Dubrovsky do not teach the claimed invention.
JOHNSON US 20070226362 discloses an optimized, efficient algorithm for regular expression matching on streams with out of order data, while maintaining a small state and without complete flow reconstruction. Three versions of the algorithm, sequential, parallel and mixed, are implemented and shown on real network traffic data to be effective in matching regular expressions on IP packet streams. Each data segment in a flow with no predecessor in a stored list of objects generated from traversing a deterministic finite sate automaton (DFA) associated with the regular expression; traversing the DFA using the data segment and a list of all non-accepting states; and if the plurality of packets is not declared as matching, then storing, as list of equivalence classes, automaton state pairs having different starting states but an identical ending state. However, the above discloses features in JOHNSON do not teach the claimed invention.
Lincoln US 20040179477 Discloses a method and apparatus for monitoring and detecting strings of interest to effect intrusion detection, packet filtering, load balancing, routing, and other network-related operations without the need to completely reassemble higher layer packets. The methods are for monitoring, repairing, and responding to network activity based on a string-matching method that finds all occurrences of words from a given finite language in a sequence of datagrams, where blocks of data may arrive out-of-order. It has utility in performing content analysis on TCP/IP streams without either TCP stream reassembly or IP datagram reassembly. It has further utility in performing error-tolerant string matching: for fixed-vocabulary streams, the present invention can repair packets, or completely patch in missing packets from a sequence of datagrams, thereby preventing the recipient of a communication from requesting retransmission of missing parts of the sequence. However, the above discloses features in Lincoln do not teach the claimed invention.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494