DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 10/16/2020.
Status of claims in the instant application:
Claims 1-24 are pending.
Priority
The instant application does not claim priority to any earlier filed application for patent.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 10/16/2020 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Drawings
Drawings filed on 10/16/2020 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 10/16/2020 has been inspected and it’s in compliance with MPEP 608.01.
Claim Objections
Claim 24 is objected for the following reason.
	Claim 24 recites, “The computer program product as described in claim 7 wherein the program 15code …”
	But the claim 7 that claim 24 depends from is NOT a computer program product claim, it’s a method claim. Therefore claim 24 is objected.
	*** Note: Examiner interprets that claim 24 depends on claim 17 (which is a computer program product claim) instead of claim 7.
Claims 1,2, 6, 9, 10, 14, 17, 18 and 20 are objected for the following reasons.
	Claims 1,2, 6, 9, 10, 14, 17, 18 and 20 use the abbreviated terms “HTTP” and “URI” without first using their full form[s] along with the abbreviation. Applicant is requested to use the full form of the abbreviated terms and then use only the abbreviations.
	Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-24 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20170264626 A1 to Xu et al. (hereinafter “Xu”) in view of “NPL: Error-Sensor: Mining Information from HTTP Error Traffic for Malware Intelligence”  to Zhang et al. (hereinafter “Zhang”).
Regarding Claim 1. Xu discloses A method of identifying and mitigating malware in association with an enterprise (Xu. Abstract, Para [0133]: … Techniques for malicious HTTP cookies detection and clustering are disclosed. In some embodiments, a system, process, and/or computer program product for malicious HTTP cookies detection and clustering includes receiving a sample at a cloud security service; extracting a cookie from network traffic associated with the sample; determining that the cookie is associated with malware; and generating a signature based on the cookie … Detecting that relevant cookie data in the HTTP header can be used as a security technology to detect malicious activity based on live network traffic analysis and protective measures/responses can be performed by a defender (e.g., data appliance 102 or HA 114 as shown in FIG. 1 can block the network/HTTP traffic, or perform some other measure/response, such as alert, block, drop, log, quarantine, and/or some other measure/response or a combination thereof can be performed) …), comprising:
receiving and segmenting HTTP traffic into HTTP error traffic, and associated 5successful HTTP request traffic (Xu, Para [0040, 0185, 0137-0142], FIG. 12: …  In some embodiments, a system, process, and/or computer program product for malicious HTTP cookies detection and clustering includes receiving a sample at a cloud security service; extracting a cookie from network traffic associated with the sample; determining that the cookie is associated with malware; and generating a signature based on the cookie. For example, the cookie can be extracted from a packet capture of the network traffic associated with the sample …  FIG. 12 is another flow diagram of a process for malicious HTTP cookies detection and clustering in accordance with some embodiments. In some embodiments, a process 1200 as shown in FIG. 12 is performed by the platform and techniques as similarly described above including the embodiments described above with respect to FIGS. 1-3, 5-7, and 9. In one embodiment, process 1200 is performed by data appliance 102 (e.g., or can similarly be performed by HA 114 as shown in FIG. 1) as described above with respect to FIGS. 1-3, 5-7, and 9 …  In one embodiment, a new technique for malicious HTTP cookies detection and clustering includes clustering cookies to identify a malicious cookie pattern. In this experiment, the training data set contains 40,000 unique cookies that are generated by malicious samples and also 100,000 cookies generated in benign/normal network traffic (e.g., network traffic that is not associated with malware) … FIG. 7 is an illustration of processing of cookies to facilitate clustering the cookies in accordance with some embodiments. In one embodiment, as an initial processing stage, cookies can be segmented, labeled, and compressed as also similarly described above with respect to FIG. 6A …);
However Xu does not explicitly teach, but Zhang from same or similar field of endeavor teaches:
“clustering the HTTP error traffic to identify one or more error clusters, wherein an error cluster has an associated set of characteristics (Zhang, Page [473, 475]: …  The errors generated by malware have different generating patterns from the errors generated by benign software. To further analyze the network patterns of errors, we first clustered the errors based on the similarity of their pages and parameters. The detailed clustering algorithm is described in Sect. 4.3. In this way, we obtained 42 clusters for malware-generated errors (CM) and 716 clusters for benign errors (CB) …Given the filtered error traffic, the next step is to cluster them into groups. The rationale behind this step is that when facing errors, malware may start their recovery behaviors which would result in similar errors or similar successful connections. Since we rely on the recovery behaviors generated by the same client, we group the errors by each client rather than across different clients. In this way, compared to existing correlation-based detection method [18], Error-Sensor is capable of detecting malware traffic even when there is only a single infected client …);
based on the associated set of characteristics of the one or more error clusters and the associated successful HTTP request traffic (Zhang, Page [475-476]: …. The key challenge for clustering is to determine which errors could be considered as the same. A straightforward way is to consider errors to be the same only when their URLs, including paths, pages, parameter names, are exactly matched … For example, during the vulnerable webpage scanning process, malware may send requests to multiple domains with the same target page files and the same exploit codes, or the clients may send requests to multiple compromised servers with the same compromised pages and parameters. However, certain malware campaigns may utilize obfuscated paths, such as Base64 or URL encoding for the page names. To address this problem, we set a threshold Tlen for the length of page names. If the length of the page name is shorter than Tlen, we consider that it is unlikely an obfuscated page name, and group the errors based on page names and parameters. On the other hand, if the length of the page name is longer than Tlen, we consider that the page is obfuscated, decode the page name with a URL decoder, and group the similar errors based on len(page name) and parameters. The clusters with a single error will be discarded because most of these errors are caused by misconfiguration where a client repeatedly sends the same requests to only one server …), training a machine learning model to distinguish 10HTTP errors generated by malware, and HTTP errors generated by benign activity (Zhang, Page [480-481]: … The ground truth data in Dday (shown in Table 1) consisted of 716 benign error clusters and 42 malicious error clusters. Training a classifier on this unbalanced data set may bias the classification model towards the abundant class (benign errors in our case), and may be tailored for less important features, i.e., the features that may cause noises rather than contribute to the accurate classification. We addressed this problem by stratified sampling. For each client, we randomly selected a benign error cluster and keep all the malicious error clusters. As a result, our balanced training set Dtrain contained 136 benign error clusters and 42 malicious error clusters. We then trained a random forest model, and ran 10-fold cross validation on Dtrain. Error-Sensor achieved an average true positive rate of 98.3% at 2.2% false positive rate in terms of error cluster classification. The two false positive clusters included total of 4 errors, and the single missed false negative cluster consisted of 2 errors. Therefore, the detection rate was 99.79% at 0.005% false positive rate in terms of individual error classification. We also applied our trained model on the remaining ground truth data (Dday − Dtrain), including 580 benign error clusters, and no false positive was reported. We further performed in-depth investigation of the misclassified cases. We checked the values in their features and compared the difference between (TP,FN) and (FP,TN) to see which features led to misclassification. For the one false negative cluster, we found that there was no suspicious server (f6=0), no accidental error (f4=0), and no recovery behaviors (f17=False, f18=False), which resulted in being classified as a benign cluster. For the two false positive clusters, we found that both had a high suspicious server ratio (f6=1), no accidental error (f4=0), and high period time, which looked very similar to malicious errors …);” and
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang into the teachings of Xu, because it discloses that “different from other existing work that relies on malicious server reputation [14] and client side behavior patterns [18], focusing on the characteristics of HTTP errors detects malware-generated traffic, including both malicious and compromised servers, without requiring multiple infections, server reputation information, or infection/URL signatures (Zhang, Page [469])”.
Xu further discloses:
“responsive to an output from the machine learning model identifying an error cluster associated with malware, automatically initiating a mitigation action (Xu, Para [0132-0133]: … As similarly discussed above, some malware families exhibit their infection progress through external cookies. This represents an interesting finding, because this finding indicates that the malware's progress can be detected/tracked by monitoring network traffic, such as further described below … For example, one application is that the relevant key-value pair in malicious cookies can be determined such as similarly described above and that key-value pair data can be used to generate a signature. Network traffic can then be monitored (e.g., HTTP traffic can be monitored and decoded such as similarly described above with respect to FIG. 3) to detect when the relevant key-value pair appears in an HTTP header (e.g., based on applying the signature). Detecting that relevant cookie data in the HTTP header can be used as a security technology to detect malicious activity based on live network traffic analysis and protective measures/responses can be performed by a defender (e.g., data appliance 102 or HA 114 as shown in FIG. 1 can block the network/HTTP traffic, or perform some other measure/response, such as alert, block, drop, log, quarantine, and/or some other measure/response or a combination thereof can be performed) …).”
Regarding Claim 2. The combination of  Xu-Zhang discloses the method as described in claim 1, Zhang further discloses, “wherein the HTTP error traffic is 15clustered based on HTTP URI pages and parameters (Zhang, Page[475]: … The key challenge for clustering is to determine which errors could be considered as the same. A straightforward way is to consider errors to be the same only when their URLs, including paths, pages, parameter names, are exactly matched …).”
The motivation to further combine Zhang remains same as in claim 1.
Regarding Claim 3. The combination of  Xu-Zhang discloses the method as described in claim 1, Zhang further discloses, “wherein the set of characteristics associated with an error cluster comprise at least one of: an error provenance feature group, an error generation feature group, and an error recovery feature group (Zhang, Page[475]: … During this process, Error-Sensor extracts various statistical features from three perspectives: error provenance, error generation and error recovery. The resulting feature vectors are then sent to the Error-Sensor classifier which is trained to distinguish malware-generated errors from benign errors …).”
The motivation to further combine Zhang remains same as in claim 1.
Regarding Claim 4. The combination of  Xu-Zhang discloses the method as described in claim 3, Zhang further discloses, “wherein the error provenance feature group characterizes a reputation of an error cluster (Zhang, Page[476]: … Error Provenance Pattern (EPP): This category consists of six features for evaluating the overall reputation of an error cluster …).”
The motivation to further combine Zhang remains same as in claim 3.
Regarding Claim 5. The combination of  Xu-Zhang discloses the method as described in claim 3, Zhang further discloses, “wherein the error generation feature group characterizes a given error generation pattern associated with an error cluster, the given error generation pattern being one of: a sequence pattern, a period pattern, a frequency pattern, and a batch pattern (Zhang, Page[478]: … A Sequence Pattern (f7) characterizes … A Period Pattern (f8, f9, and f10) measures the minimum time interval for malware to generate the same errors (repeated errors). … A Frequency Pattern (f11, f12, and f13) measures how many recurring errors are generated for each error per day. Most benign errors are typically generated once or per usage. … A Batch Pattern (f14, f15, and f16) measures the minimum time interval for malware to contact other alternative servers in a cluster. …).”
The motivation to further combine Zhang remains same as in claim 3.
Regarding Claim 6. The combination of  Xu-Zhang discloses the method as described in claim 3, Zhang further discloses, “wherein the error recovery feature group characterizes a given error recovery pattern associated with an error cluster, the given error recovery pattern being one of: a temporal correlation, and a URI path correlation (Zhang, Page[478-479]: … Error Recovery Pattern (ERP): This feature group consists of two features to characterize the error recovery patterns of malware in the face of errors. Temporal Correlation (f17) characterizes the recovery behaviors of malware based on temporal correlation among errors and their nearby successful traffic. The rationale behind the feature is that when malware faces errors, it would start recovery mechanisms within a certain time. For example, malware may send requests to benign servers (e.g., google.com/xyz and facebook.com/xyz as shown in Table 7) to check network connectivity after several failed connections to malicious servers. Therefore, if a server frequently appears together with error requests, it is highly likely to be a part of malware recovery routines … URI Path Correlation (f18) characterizes the recovery behaviors of malware based on URI pattern correlation among errors and their surrounding successful traffic. We note that malware may generate the same requests to multiple servers to avoid a single point of failure. In this case, some of malware traffic may lead to errors while others may be successful. For example, when malware connects to compromised servers, some of the compromised servers may have already been cleaned by administrators and lead to 404 errors while others may redirect clients to malicious servers …).”
The motivation to further combine Zhang remains same as in claim 3.
Regarding Claim 107. The combination of  Xu-Zhang discloses the method as described in claim 1, Zhang further discloses, “wherein the machine learning model is trained using a random forest classifier (Zhang, Page[480]: … Building and Using a Classifier: Considering a set of diverse features, the classes of malicious error clusters and benign error clusters may not be linearly separable in their feature space, which makes Support Vector Machine (SVM) be less effective. In addition, tuning the parameters for diverse data is not trivial and parameter-free classifier would be desirable. Therefore, we leverage a random forest classifier (RFC) for classification, which does not require parameter tuning and is robust to handle outliers. The only two required parameters for RFC are the number of decision trees (Nt) and the number of features (Nf ) per decision tree, and these parameters are independent of nuances of the data and have standard selection rules8. If the classifier determines that a cluster is malicious, then Error-Sensor also outputs its recovery servers based on the servers extracted through temporal and URI path correlation …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Zhang, because it discloses that “we leverage a random forest classifier (RFC) for classification, which does not require parameter tuning and is robust to handle outliers (Zhang, Page [480])”.
Regarding Claim 8. The combination of  Xu-Zhang discloses the method as described in claim 1, further discloses, “wherein the mitigation action is one of: stopping execution of untrusted code that exhibits data exfiltration states, blocking access to 15suspect and recovery servers, providing credentials updates, updating application whitelists, providing notifications, and implementing application sandboxing (Xu, Para [0133]: …  one application is that the relevant key-value pair in malicious cookies can be determined such as similarly described above and that key-value pair data can be used to generate a signature. Network traffic can then be monitored (e.g., HTTP traffic can be monitored and decoded such as similarly described above with respect to FIG. 3) to detect when the relevant key-value pair appears in an HTTP header (e.g., based on applying the signature). Detecting that relevant cookie data in the HTTP header can be used as a security technology to detect malicious activity based on live network traffic analysis and protective measures/responses can be performed by a defender (e.g., data appliance 102 or HA 114 as shown in FIG. 1 can block the network/HTTP traffic, or perform some other measure/response, such as alert, block, drop, log, quarantine, and/or some other measure/response or a combination thereof can be performed) …).”
Regarding Claim 9. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1.
*** Note: Xu also discloses processor, memory containing instructions executed by the processor (Xu: Para [0021]).
Regarding Claim 10. This claim contains all the same or similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 2011. This claim contains all the same or similar limitations as claim 3, and hence similarly rejected as claim 3.
Regarding Claim 12. This claim contains all the same or similar limitations as claim 4, and hence similarly rejected as claim 4.
Regarding Claim 13. This claim contains all the same or similar limitations as claim 5, and hence similarly rejected as claim 5.
Regarding Claim 14. This claim contains all the same or similar limitations as claim 6, and hence similarly rejected as claim 6.
Regarding Claim 15. This claim contains all the same or similar limitations as claim 7, and hence similarly rejected as claim 7.
Regarding Claim 16. This claim contains all the same or similar limitations as claim 8, and hence similarly rejected as claim 8.
Regarding Claim 17. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1.
*** Note: Xu also discloses processor, memory containing instructions executed by the processor (Xu: Para [0021]).
Regarding Claim 1518. This claim contains all the same or similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 19. This claim contains all the same or similar limitations as claim 3, and hence similarly rejected as claim 3.
Regarding Claim 20. This claim contains all the same or similar limitations as claim 4, and hence similarly rejected as claim 4.
Regarding Claim 21. This claim contains all the same or similar limitations as claim 5, and hence similarly rejected as claim 5.
Regarding Claim 22. This claim contains all the same or similar limitations as claim 6, and hence similarly rejected as claim 6.
Regarding Claim 23. This claim contains all the same or similar limitations as claim 7, and hence similarly rejected as claim 7.
Regarding Claim 24. This claim contains all the same or similar limitations as claim 8, and hence similarly rejected as claim 8.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	US 20110283361 A1; Perdisci et al.: Perdisci discloses A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment fbr a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.
NPL: Clustering Android Malware Families by Http Traffic; Aresu et al.: Aresu discloses methods for detecting anomalous traffic involving Android mobile platform that has been targeted the most by malware that aim to steal personal information or to control the users’ devices. More specifically, mobile botnets are malware that allow an attacker to remotely control the victims’ devices through different channels like HTTP, thus creating malicious networks of bots. In this paper, we show how it is possible to effectively group mobile botnets families by analyzing the HTTP traffic they generate. To do so, we create malware clusters by looking at specific statistical information that are related to the HTTP traffic. This approach also allows us to extract signatures with which it is possible to precisely detect new malware that belong to the clustered families. Contrarily to x86 malware, we show that using fine-grained HTTP structural features do not increase detection performances. Finally, we point out how the HTTP information flow among mobile bots contains more information when compared to the one generated by desktop ones, allowing for a more precise detection of mobile threats.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434