DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the request for continued examination filed on July 18, 2022.
Claims 1-7, 9-25, 27-28 are allowed in light of the attached examiner’s amendment. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on July 18, 2022 has been entered.
 
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copies have been filed in parent Application No. IL/253823, filed on August 3, 2017 and parent Application No. IL/254573, filed on September 18, 2017.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Arun Shome on August 18, 2022.
The application has been amended as follows: 
	1.	(Currently Amended) A system for preventing attacks, on an organization having plural computers, via the computers' Universal Serial Bus (USB) ports, the system comprising:
		at least one processor configured to monitor at least one hardware aspect of a connection between a peripheral and a computer's USB port, to identify hardware aspects which match pre-configured criteria and, responsively, to take action,  
                		wherein the system stores descriptor sets, each including at least one descriptor, for known rogue devices and for known legitimate devices and identifies peripherals which have these descriptors, and
			wherein the system is updated by adding descriptor sets for new models or types of legitimate or rogue USB devices to system memory, when a Machine Learning (ML) based algorithm is able to classify a certain USB device as a legitimate non malicious device with a sufficiently high level of confidence,
		wherein, each time unknown descriptors are found not to match any known device, legitimate or rogue, thereby to define an unknown descriptor set, the unknown descriptor set is determined to be an unknown new model of a legitimate USB device each time the unknown descriptor set repeats for an over-threshold number of USB devices in the organization, and the system triggers action each time an under-threshold number of USB devices having an unknown descriptor set are found.
	2.	(Currently Amended)  A system according to claim 1 wherein said at least one processor comprises
		a first processor configured to determine an ostensible identity of a peripheral connected to the computer via its USB port; and
		a second processor configured for comparing at least one aspect of the peripheral's operation with at least one known aspect of a peripheral having said ostensible identity. 
	3.	(Original)  A system according to claim 2 wherein said comparing includes detecting discrepancies between said aspects of the peripheral's operation and said known aspects of a peripheral having said ostensible identity. 
	4.	(Previously Presented)   A system according to claim 2 wherein the ostensible identity comprises a vendor ID and product ID provided by the peripheral to an operating system associated with the plural computers. 
	5.	(Previously Presented)    A system according to claim 1 wherein said at least one processor is configured to detect inputs injected via the USB port which are pre-defined to be indicative of a risk of an attack on the computer.
	6.	(Previously Presented)  A system according to claim 5 wherein said inputs comprise typed references to utilities pre-defined to be indicative of a risk of an attack on the computer. 
	7.	(Previously Presented)  A system according to claim 1 wherein, on plural occasions, said action comprises initiating a test thereby to generate test results and, depending on the test's results, taking at least one further action in some of the plural occasions but not others, depending on the test results in each occasion.
	8.	(Cancelled)
	9.	(Currently Amended) A system according to claim 1 wherein the processor is further configured to monitor at least one interface aspect of the connection.
	10.	(Currently Amended) A system according to claim 1 wherein the processor is further configured to monitor at least one behavioral aspect of the connection.
	11.	(Original)  A system according to claim 1 wherein said action is configurable, via a user interface, by a pre-designated security expert within a computerized network in which the computer is a node. 
	12.	(Previously Presented)   A system according to claim 2 wherein said action comprises provision of a notification alert to a pre-designated security expert within a computerized network in which the computer is a node. 
	13.	(Previously Presented)   A system according to claim 1 wherein said action comprises automatically disabling the USB port.
	14.	(Currently Amended) A system according to claim 2 wherein said known aspect comprises descriptors.
	15.	(Original) A system according to claim 12 wherein sets of descriptors characteristic of peripherals having a given make and model number are stored by the system.  
	16.	(Original) A system according to claim 15 wherein at least one set of descriptors stored by the system is characteristic of a peripheral used for penetration testing and wherein the second processor is operative for identifying, as a pre-configured criteria suggestive of attacks, each peripheral whose descriptors correspond to the set of descriptors, stored by the system, which is characteristic of a peripheral used for penetration testing. 
	17.	(Original) A system according to claim 15 wherein a pre-configured criteria suggestive of attacks includes peripherals whose descriptors do not correspond to any set of descriptors stored by the system. 
	18.	(Currently Amended)   A system according to claim 17 wherein the plural computers 
	19.	(Currently Amended) A method for preventing attacks of a Universal Serial Bus (USB) peripheral device on at least one computer from among plural computers, the method comprising:
		storing, in a computer storage data repository, at least one hardware aspect of at least one type of USB peripheral; and
		monitoring a connection between a peripheral instance and a computer's USB port, including using a processor configured for comparing aspects of the connection with said at least one aspect and taking action regarding at least one peripheral instance for which a result of said comparing suggests that the instance peripheral is attacking the computer,
			wherein, each time unknown descriptors are found not to match any known device, legitimate or rogue, the unknown descriptor set is determined to be an unknown new model of a legitimate USB device each time the unknown descriptor set repeats for an over-threshold number of USB devices in an organization, and the method triggers action each time an under-threshold number of USB devices having an unknown descriptor set are found, and
			wherein the method compares:
			a.  monitored real time hardware operational parameters of an instance USB device which has defined itself to an operating system, as part of their handshake, as being of type T; to
			b. population norms, which the system has accumulated, for the hardware operational parameters of devices of type T.
	20.	(Previously Presented)   A method according to claim 19 wherein each type of peripheral has a unique vendor ID and product ID and wherein the data repository stores at least one aspect of plural types of peripherals. 
	21.	(Previously Presented) A method according to claim 20 wherein the aspect stored comprises descriptors characteristic of each type in the data repository and wherein action is taken for at least one instance peripheral which identifies itself as having vendor and product IDs characteristic of a type t, then provides an operating system associated with the plural computers with a descriptor which is not one of the descriptors stored in the data repository for the type t. 
	22.	(Previously Presented)   A method according to claim 20 wherein the aspect stored comprises interfaces characteristically requested by each type of peripheral in the data repository and wherein action is taken for at least one instance peripheral which identifies itself as having vendor and product IDs characteristic of a type t, then requests, from an operating system associated with the plural computers, an interface which is not one of the interfaces stored in the data repository for type t. 
	23.	(Previously Presented) A method according to claim 20 wherein the at least one computer comprises a population of computers and wherein the method monitors and stores at least one operational parameter of peripherals connected to the population of computers and derives therefrom at least one expected level of said at least one operational parameter for each type of peripheral and wherein action is taken for at least one instance peripheral which identifies itself as having vendor and product IDs characteristic of a type t, but at least one of the instance peripheral's operational parameters, when monitored, deviates from the at least one expected level.
	24.	(Previously Presented)   A method according to claim 23 wherein said operational parameter comprises the instant peripheral's current level.
	25.	(Previously Presented)   A system according to claim 13 wherein said automatically disabling comprises repeatedly sending, from the computer's operating system's kernel space, USB-port-disabling commands, each time period t where t is less than a duty cycle of USB-port enabling commands issued by the computer's operating system's user space. 
	26.	(Cancelled) 
	27.	(Previously Presented)  A system according to claim 1 wherein hardware aspects are monitored, and then, via Machine Learning, anomalies in operational parameters are identified, by comparing:
		a.  monitored operational parameters of an instance USB device being monitored, the USB device being of a given type, as defined by an ID by which peripherals during a handshake with a system’s operating system identify their ostensible make and model to the system's operating system as part of said handshake, to
		b. population norms of the same or similar type which the system has accumulated, by Machine Learning, wherein devices which are not the same model or product but which share a single manufacturer or vendor are considered a similar type.
	28.	(Currently Amended) A method for preventing attacks, on an organization having plural computers, via the computers' Universal Serial Bus (USB) ports, the method comprising:
		using at least one processor configured to monitor at least one hardware aspect of a connection between a peripheral and a computer's USB port, to identify hardware aspects which match pre-configured criteria and, responsively, to take action,
			including storing descriptor sets, each including at least one descriptor, for known rogue devices and for known legitimate devices thereby to accumulate population norms, and identifying peripherals which have these descriptors, and
			adding descriptor sets for new models or types of legitimate or rogue USB devices to system memory, when a Machine Learning (ML)based algorithm is able to classify a certain USB device as a legitimate non malicious device with a sufficiently high level of confidence,
		wherein the method compares:
		a.  monitored real time hardware operational parameters of an instance USB device which has defined itself to an operating system, as part of their handshake, as being of type T; to
		b. population norms, which the system has accumulated, for the hardware operational parameters of devices of type T,
		wherein, each time unknown descriptors are found not to match any known device, legitimate or rogue, thereby to define an unknown descriptor set, the unknown descriptor set is determined to be an unknown new model of a legitimate USB device each time the unknown descriptor set repeats for an over-threshold number of USB devices in the organization, and the method triggers action each time an under-threshold number of USB devices having an unknown descriptor set are found.

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance: 
Powers et al. (U.S. Pub. No. 2014/0337558 A1), hereinafter referred to as “Powers”, is directed towards a system of monitoring/protecting against attacks from USB peripherals (Par. [0049], Par. [0050], Par. [0057], Par. [0043]). Powers further teaches detecting attacks by identifying peripherals and their proper behavior (Par. [0053], Par. [0058]) and monitoring hardware aspects of the connection to protect against voltage attacks (Par. [0149]).
 Ibatullin et al. (U.S. Pub. No. 2015/0067866 A1), hereinafter referred to as “Ibatullin”, is directed towards a system of identifying maliciousness of devices using machine learning by maintaining a device fingerprint database which tracks device profiles (Par. [0027], Par. [0053], Par. [0061]). Ibatullin further recites a threshold level of accuracy for profile generation (Par. [0040]) and comparing against a threshold value of maliciousness for maliciousness determination (Par. [0060]).
 Sridhara et al. (U.S. Pub. No. 2015/0262067 A1), hereinafter referred to as “Sridhara”, is directed towards a system of identifying malicious behavior from peripheral devices using machine learning classification (Abstract, Par. [0054], Par. [0138]). Sridhara further teaches identification of this malicious behavior by comparing to expected normal behavior related to the peripheral (Par. [0138]).
Daley (NPL – “USBeSafe Applying One-Class SVM for Effective USB Event Anomaly Detection”), hereinafter referred to as “Daley”, is directed towards a system of identifying anomalous behavior from USB devices using machine learning (Page 26). Daley further teaches training and testing models against USB devices to distinguish between novel/anomalous behavior using a threshold calculation (Page 34-35). 
	The prior art of record does not explicitly disclose, in light of other features recited in independent claims, “wherein, each time unknown descriptors are found not to match any known device, legitimate or rogue, the unknown descriptor set is determined to be an unknown new model of a legitimate USB device each time the unknown descriptor set repeats for an over-threshold number of USB devices in the organization, and the method triggers action each time an under-threshold number of USB devices having an unknown descriptor set are found”. While the prior art of record discloses threshold values related to accuracy/maliciousness/novel behavior, the recitation of comparing to a threshold number of repeated descriptor sets in the event of a failed matching of device identity presented in the independent claims is not anticipated nor obvious over the prior art of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Moore et al. (U.S. Pub. No. 2014/0215637 A1) – Includes methods related to USB port disabling commands and their duty cycle
Gyllenskog (U.S. Pub. No. 2013/0167254 A1) – Includes methods related to protecting against USB peripheral attacks
Pratt (U.S. Patent No. 9,785,771 B1) – Includes methods related to protecting against USB peripheral attacks
Hou (U.S. Pub. No. 2018/0324179 A1) – Includes methods related to protecting against a BadUSB attack

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ETHAN V VO whose telephone number is (571)272-2505. The examiner can normally be reached M-F 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patenxt-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/E. V. V./Examiner, Art Unit 2431                                                                                                                                                                                                                                                                                                                                                                                                
/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431