Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/29/2022 has been entered.
 
Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 4-9, 12-17, 19-20  have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 4-9, 12-17, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yu (US 2016/0277431) in view of Mihelich (US 2015/0281007)

Regarding Claim 1,

Yu (US 2016/0277431) teaches a non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor to perform the steps of: 

obtaining data from a log system storing historical transactions monitored in real time by a security system (Figure 3, 301 and associated text, teaches a network traffic log)(Paragraph [0006] teaches network traffic scanned in real time by a security system); 
creating one or more mock transactions based on the historical transactions utilizing fields stored in logs of the historical transactions (Figure 3, 302, teaches retrospectively scanning the traffic wherein re-creating historical traffic is considered creating “mock transactions”), 
and analyzing the one or more mock transactions with a signature pattern matching engine having updates provided therein subsequent to a time of the historical transactions (Figure 3, 303, 304, teaches analyzing the retrospective scan with updated signatures after the original network traffic was logged)

Yu does not explicitly teach 
wherein the one or more mock transactions have one of a header based on the data from the fields and a data portion that includes any of random data and predetermined fixed data with this data being different from data in the corresponding historical transactions or a header based on the data from corresponding historical transactions; 
Mihelich (US 2015/0281007) teaches a header based on the data from corresponding transactions (Paragraph [0080, 0087, 0098] teaches HTTP headers in transaction history (i.e. traffic logs))

It would have been obvious to one of ordinary skill in the art to modify the mock transactions and historical transactions of Yu to have a header based on data of transactions and the results would be predictable (i.e. transaction data would include header based on data)


Regarding Claim 4,

Yu and Mihelich teaches the non-transitory computer-readable storage medium of claim 1, wherein the security system analyzed corresponding historical transactions of the one or more mock transactions with the signature pattern matching engine available at a time of the corresponding historical transactions (Paragraph [0006] teaches network traffic scanned in real time with the signatures at the time); 
.

Regarding Claim 5,

Yu and Mihelich teaches the non-transitory computer-readable storage medium of claim 1, wherein the computer readable code stored further programs the processor to perform the steps of: performing a content scan in the one or more mock transactions based on the signature pattern matching engine having the updates (Figure 3, 303, 304, teaches analyzing the retrospective scan with updated signatures after the original network traffic was logged).

Regarding Claim 6,

Yu and Mihelich teaches the non-transitory computer-readable storage medium of claim 5. Mihelich teaches wherein the header includes fields for one or more of Hypertext Transfer Protocol (HTTP) method, Uniform Resource Locator (URL), referrer URL, and User Agent (Paragraph [0080, 0087, 0098] teaches HTTP headers in transaction history (i.e. traffic logs)).

Regarding Claim 7,

Yu and Mihelich teaches the non-transitory computer-readable storage medium of claim 1, wherein the computer readable code stored further programs the processor to perform the steps of: determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions (Paragraph [0042] teaches previously missed matches).

Regarding Claim 8,

Yu and Mihelich teaches the non-transitory computer-readable storage medium of claim 5. Mihelich teaches wherein the header includes fields for one or more of Uniform Resource Locator (URL), hostname, and Server Internet Protocol (IP) address (Paragraph [0099] teaches header includes hostname)

Regarding Claims 9, 12-16,

Claims 9, 12-16 are similar in scope to Claims 1, 4-8 and are rejected for a similar rationale.

Regarding Claims 17, 19-20,

Claims 17, 19-20 are similar in scope to Claims 1, 5, 7 and are rejected for a similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462. The examiner can normally be reached M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HARRIS C WANG/Primary Examiner, Art Unit 2439