DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-6, 8-13 and 15-20 are allowed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/25/20 is being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Jonathon Western on 6/15/22.
The application has been amended as follows: 

1.  (Currently Amended)  A method comprising:
	receiving, at a service, traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic; 
	analyzing, by the service, the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic; 
	receiving, at the service and from a monitoring agent on the endpoint device, application telemetry data regarding the application; 
	determining, by the service, that the application is evasive malware based on the identity of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device by: 
determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and 
comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data; and
	initiating, by the service, performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

2.  (Original)  The method as in claim 1, wherein the mitigation action comprises at least one of: blocking the encrypted traffic or generating an alert regarding the endpoint device.

3.  (Original)  The method as in claim 1, wherein the application telemetry data comprises a process hash fingerprint of the application.
 
4.  (Original)  The method as in claim 1, further comprising:
verifying, by the service, that the identity of the application inferred from the traffic telemetry data is correct based on comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data.

5.  (Original)  The method as in claim 1, further comprising:
determining, by the service, that the application is evasive malware when the identity of the application determined based on the application telemetry data is inconsistent with the identity of the application inferred from the traffic telemetry data.

6.  (Original)  The method as in claim 1, wherein receiving, from the monitoring agent on the endpoint device, the application telemetry data regarding the application comprises:
	sending, by the service, a request to the monitoring agent for the application telemetry data; and
	receiving, at the service, the application telemetry data, in response to the request.

7.  (Canceled) 

8.  (Currently Amended)  An apparatus, comprising:
one or more network interfaces to communicate with a network;
a processor coupled to the one or more network interfaces and configured to execute one or more processes; and
a memory configured to store a process executable by the processor, the one or more processes when executed configured to:
receive traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic;
analyze the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic;
receive, from a monitoring agent on the endpoint device, application telemetry data regarding the application; 
determine that the application is evasive malware based on the identity of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device by: 
determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and 
comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data; and
initiate performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

9.  (Original)  The apparatus as in claim 8, wherein the mitigation action comprises at least one of: blocking the encrypted traffic or generating an alert regarding the endpoint device.

10.  (Original)  The apparatus as in claim 8, wherein the application telemetry data comprises a process hash fingerprint of the application.

11.  (Original)  The apparatus as in claim 8, wherein the one or more processes when executed are further configured to:
verify that the identity of the application inferred from the traffic telemetry data is correct based on comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data.
 
12.  (Original)  The apparatus as in claim 8, wherein the one or more processes when executed are further configured to:
	determine that the application is evasive malware when the identity of the application determined based on the application telemetry data is inconsistent with the identity of the application inferred from the traffic telemetry data.
 

13.  (Original)  The apparatus as in claim 8, wherein the apparatus receives, from the monitoring agent on the endpoint device, the application telemetry data regarding the application by:
	sending a request to the monitoring agent for the application telemetry data; and
	receiving the application telemetry data, in response to the request.
 
14.  (Canceled)  
 
15.  (Currently Amended)  A tangible, non-transitory, computer-readable medium that stores program instructions causing a service to execute a process comprising:
receiving, at a service, traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic;
	analyzing, by the service, the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic; 
	receiving, at the service and from a monitoring agent on the endpoint device, application telemetry data regarding the application; 
	determining, by the service, that the application is evasive malware based on the identity of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device by: 
determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and 
comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data; and
	initiating, by the service, performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware. 

16.  (Original)  The tangible, non-transitory, computer-readable medium as in claim 15, wherein the mitigation action comprises at least one of: blocking the encrypted traffic or generating an alert regarding the endpoint device.
 
17.  (Original)  The tangible, non-transitory, computer-readable medium as in claim 15, wherein the application telemetry data comprises a process hash fingerprint of the application.
 
18.  (Original)  The tangible, non-transitory, computer-readable medium as in claim 15, wherein the process further comprises:
verifying, by the service, that the identity of the application inferred from the traffic telemetry data is correct based on comparing the identity of the application determined based on the application telemetry data with the identity of the application inferred from the traffic telemetry data.

19.  (Original)  The tangible, non-transitory, computer-readable medium as in claim 15, wherein the process further comprises:
	determining, by the service, that the application is evasive malware when the identity of the application determined based on the application telemetry data is inconsistent with the identity of the application inferred from the traffic telemetry data.

20.  (Original)  The tangible, non-transitory, computer-readable medium as in claim 15, wherein receiving, from the monitoring agent on the endpoint device, the application telemetry data regarding the application comprises:
	sending, by the service, a request to the monitoring agent for the application telemetry data; and
	receiving, at the service, the application telemetry data, in response to the request.

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
Prior art of record, Chen et al. U.S. Pub. No. 20180131711, discloses a method of protecting computing devices from malicious activity comprising monitoring network traffic flows of network computing devices and identify applications that are a source of the first network traffic flow; observe network traffic flows of identified source applications over time to determine normal network traffic flows of the source applications; observe network traffic flows to detect when a source application is behaving anomalously based on associated network traffic flow characteristics deviating from normal network traffic flow of the source applications.
Sartin et al. U.S. Pub. No. 20130160119 discloses security monitoring system, wherein the system receives netflow data that includes information corresponding to network-side activity associated with a target device, and evaluate the netflow data based on a netflow signature to identify potentially malicious activity.
The prior art of record does not explicitly disclose, in light of other features recited in independent claims, wherein the traffic telemetry data is indicative of one or more of: a user agent parameter of the encrypted traffic, a ciphersuite offered by the endpoint device, a Transport Layer Security (TLS) extension used by the encrypted traffic, sequence of packet lengths and time (SPLT) data regarding the encrypted traffic, sequence of application lengths and time (SALT) data regarding the encrypted traffic, and byte distribution (BD) data regarding the encrypted traffic; analyzing, by the service, the traffic telemetry data to infer an identity of an application on the endpoint device that sent the encrypted traffic;  determining, by the service, that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device, wherein the determining step comprises determining an identity of the application based on the application telemetry data received from the monitoring agent on the endpoint device, and comparing the determined identity of the application from the application telemetry data to the identity of the application inferred from the traffic telemetry data.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
El-Moussa et al. U.S. Pub. No. 20190207955 discloses malicious network traffic identification.
Zafer et al. U.S. Pub. No. 20190149396 discloses method for network incident remediation recommendations.
Vasseur et al. U.S. Pub. No. 20190068474 discloses wireless throughput issue detection using coarsely sampled application activity.
El-Mousa et al. U.S. Pub. No. 20190012457 discloses malicious software identification.
Kallos et al. U.S. Pub. No. 20180375882 discloses malicious software identification.
Sood et al. U.S. Pub. No. 20180341494 discloses accelerating network security monitoring.
Donnelly et al. U.S. Pub. No. 20160006755 discloses dynamic traffic steering system.
El-Mousa U.S. Pub. No. 20110302656 discloses detecting malicious behavior on a computer network.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431