Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply by Applicant filed on 7/22/2022. Claims 1-20 are pending. This Office Action is Final.

Response to Arguments
	A) Amendments and arguments regarding 35 USC 101 for being an abstract idea have been considered and deemed not persuasive.  Because the logging and identifying steps amount to a mental process that can practically be performed in the mind, so it would fall under Yes regarding Step 2A, Prong One of the eligibility analysis.  Turning to Prong Two and the question of whether the additional elements amount to significantly more, the mere generation of a report is NOT enough to overcome the rejection, because it amounts to insignificant extra-solution activity (MPEP 2106.05(g)). 
	Further, the claim is not limited to computer implementation—that is, nothing in the claim actually requires a computer to perform the claimed steps. As explained in MPEP 2106.05(a), “It is important to note that in order for a method claim to improve computer functionality, the broadest reasonable interpretation of the claim must be limited to computer implementation. That is, a claim whose entire scope can be performed mentally, cannot be said to improve computer technology.” For at least this reason, I believe that the claim even as amended remains ineligible.  As a result these claim rejections under 35 USC 101 Stand.

	B) Applicant argues that Giura fails to disclose, teach or even suggest “identifying, based on analyzing the logged network traffic and permissions granted to the one or more applications, those of the one or more applications that caused permission-protected data to be transmitted without having permission to access that data as circumventing permissions,” regarding claims 1, 12 and 17.  Examiner respectfully disagrees. 
	Examiner submits that Giura teaches “identifying, based on analyzing the logged network traffic and permissions granted to the one or more applications, those of the one or more applications that caused permission-protected data to be transmitted without having permission to access that data as circumventing permissions.” Giura, Paragraph 0023 recites “Should an enterprise server device attempt to connect to a new unknown destination outside its previously defined profile, this can be an indication, for instance, of a server breach, data exfiltration (e.g., surreptitious extraction of data), or Command and Control communication, at which point additional intelligence should be gathered, collected, and collated about the new unknown destination Internet Protocol (IP) address(s); if the unknown destination is associated with internal enterprise IP address(s); and information from historical network server log files, information that can include details for instance, new ports open, and baseline statistics for other meaningful features such as observation of unaccounted for increases of bytes communicated, new firewall messages, new signatures detected, and the like that can have been communicated through the newly opened ports. This intelligence can then be used to generate a behavior profiling report automatically for each server device along with severity scores for each generated behavior profiling report, which can facilitate analysis to determine the nature of the security incident, and the priority of subsequent forensic investigations.” 
	Applicant argues that Giura does not explicitly recite identifying one or more applications and that Giura only discloses an enterprise server device.  It is true that Giura does identify an enterprise server device when there are such things as a data exfiltration, it is well known to one of ordinary skill in the art that an application or an application running on a device/client connected is what caused the server to perform a task, in this case creating a new connection.  Giura Paragraph 0023 further describes that a report is created in response to a behavior that is not normal for the enterprise server device to have taken place.  Giura, Fig. 9 and Paragraphs 0052-0054, shows and describes in detail the report, which Examiner would like to focus on.  On Fig. 9, Under “Actions” Giura uses a generic entry which was received at the firewall which details a plurality of items including an ‘Application,’ field.  Giura’s report does explicitly identify an Application or Applications which maybe necessary when there is a behavioral report generated.  It would almost be inherent from a security standpoint, that in order to do a proper security assessment the network logs would have Application information, because all connections malicious or not, would have to have been performed by some application or Program. As a result, Giura teaches the limitations argued above.




Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.
Regarding claims 1, 12 and 17, the claim is directed to an abstract idea as reciting the limitations “logging network traffic,” “identifying” and “generating a report.”  The aforementioned steps are “mental process” as broadly interpreted said steps could be performed in the human mind. Therefore, the claim recites an abstract idea.  
	Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing system).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of logging, identifying or generating a report etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  
	The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Applications 2013/0254535, 2015/0156194 and 2011/0154027.  As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter.

	Regarding claims 2-11, 13-16 and 18-20; the dependent claims are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea without being integrated into a practical application or significantly more.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-3, 6, 7, 10, 12-14 and 17-19 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Giura et al. (2018/0019932).

	As per claim 1, Giura discloses a method by a system to automatically identifying applications that circumvent permissions, the method comprising: 
	logging network traffic transmitted by one or more computing devices while the one or more computing devices execute one or more applications (Giura, Paragraph 0032 recites “Profiling engine 102, in addition to the foregoing, can also, on receiving network traffic data (e.g., log files from varied network devices, such as, authentication devices, firewall devices, proxy server devices, intrusion detection system devices, intrusion protection system devices, . . . ), can augment or correlate the network traffic data with records that provide details such as domain information, organization name, organization mailing address, contact information, records regarding dates the record was created, and if the record was changed/updated the date that the change was effectuated and/or became effective for each device included in the network traffic data.”);
	identifying, based on analyzing the logged network traffic and permissions granted to the one or more applications, those of the one or more applications that caused permission-protected data to be transmitted without having permission to access that data as circumventing permissions; and generating a report indicating the applications that were identified as circumventing permissions (Giura, Paragraph 0023 recites “Should an enterprise server device attempt to connect to a new unknown destination outside its previously defined profile, this can be an indication, for instance, of a server breach, data exfiltration (e.g., surreptitious extraction of data), or Command and Control communication, at which point additional intelligence should be gathered, collected, and collated about the new unknown destination Internet Protocol (IP) address(s); if the unknown destination is associated with internal enterprise IP address(s); and information from historical network server log files, information that can include details for instance, new ports open, and baseline statistics for other meaningful features such as observation of unaccounted for increases of bytes communicated, new firewall messages, new signatures detected, and the like that can have been communicated through the newly opened ports. This intelligence can then be used to generate a behavior profiling report automatically for each server device along with severity scores for each generated behavior profiling report, which can facilitate analysis to determine the nature of the security incident, and the priority of subsequent forensic investigations.”).

	As per claim 2, Giura discloses the method of claim 1, Giura further discloses wherein identifying those of the one or more applications that circumvent permissions is based on identifying, based on inspecting the logged network traffic, permission-protected data caused to be transmitted by the one or more applications, excluding, from the identified permission-protected data, data caused to be transmitted by an application that has permission to access that data to generate permission-circumvented data, and identifying those of the one or more application that caused the permission-circumvented data to be transmitted  (Giura, Paragraph 0023 recites “ Should an enterprise server device attempt to connect to a new unknown destination outside its previously defined profile, this can be an indication, for instance, of a server breach, data exfiltration (e.g., surreptitious extraction of data), or Command and Control communication, at which point additional intelligence should be gathered, collected, and collated about the new unknown destination Internet Protocol (IP) address(s); if the unknown destination is associated with internal enterprise IP address(s); and information from historical network server log files, information that can include details for instance, new ports open, and baseline statistics for other meaningful features such as observation of unaccounted for increases of bytes communicated, new firewall messages, new signatures detected, and the like that can have been communicated through the newly opened ports. This intelligence can then be used to generate a behavior profiling report automatically for each server device along with severity scores for each generated behavior profiling report, which can facilitate analysis to determine the nature of the security incident, and the priority of subsequent forensic investigations.”).

	As per claim 3, Giura discloses the method of claim 2, Giura further discloses grouping the permission-circumvented data based on a combination of data type and data destination; selecting one of the one or more applications that caused data of a particular data type to be transmitted to a particular data destination to be a representative application for a combination of the particular data type and the particular data destination; and generating a report indicating that the selected application is the representative application for the combination of the particular data type and the particular data destination (Giura, Paragraph 0023 recites “ Should an enterprise server device attempt to connect to a new unknown destination outside its previously defined profile, this can be an indication, for instance, of a server breach, data exfiltration (e.g., surreptitious extraction of data), or Command and Control communication, at which point additional intelligence should be gathered, collected, and collated about the new unknown destination Internet Protocol (IP) address(s); if the unknown destination is associated with internal enterprise IP address(s); and information from historical network server log files, information that can include details for instance, new ports open, and baseline statistics for other meaningful features such as observation of unaccounted for increases of bytes communicated, new firewall messages, new signatures detected, and the like that can have been communicated through the newly opened ports. This intelligence can then be used to generate a behavior profiling report automatically for each server device along with severity scores for each generated behavior profiling report, which can facilitate analysis to determine the nature of the security incident, and the priority of subsequent forensic investigations.”).

	As per claim 6, Giura discloses the method of claim 1, Giura further discloses wherein each of the one or more applications is executed on an instrumented version of a mobile operating system that logs application execution information (Giura, Paragraph 0055 recites “IG. 10 presents an example embodiment 1000 of a mobile network platform 1010 that can implement and exploit one or more aspects of the disclosed subject matter described herein. Generally, wireless network platform 1010 can include components, e.g., nodes, gateways, interfaces, servers, or disparate platforms, that facilitate both packet-switched (PS) (e.g., internet protocol (IP), frame relay, asynchronous transfer mode (ATM)) and circuit-switched (CS) traffic (e.g., voice and data), as well as control generation for networked wireless telecommunication. As a non-limiting example, wireless network platform 1010 can be included in telecommunications carrier networks, and can be considered carrier-side components as discussed elsewhere herein. Mobile network platform 1010 includes CS gateway node(s) 1012 which can interface CS traffic received from legacy networks like telephony network(s) 1040 (e.g., public switched telephone network (PSTN), or public land mobile network (PLMN)) or a signaling system #7 (SS7) network 1070. Circuit switched gateway node(s) 1012 can authorize and authenticate traffic (e.g., voice) arising from such networks. Additionally, CS gateway node(s) 1012 can access mobility, or roaming, data generated through SS7 network 1070; for instance, mobility data stored in a visited location register (VLR), which can reside in memory 1030. Moreover, CS gateway node(s) 1012 interfaces CS-based traffic and signaling and PS gateway node(s) 1018. As an example, in a 3GPP UMTS network, CS gateway node(s) 1012 can be realized at least in part in gateway GPRS support node(s) (GGSN). It should be appreciated that functionality and specific operation of CS gateway node(s) 1012, PS gateway node(s) 1018, and serving node(s) 1016, is provided and dictated by radio technology(ies) utilized by mobile network platform 1010 for telecommunication.”).

	As per claim 7, Giura discloses the method of claim 6, Giura further discloses wherein the mobile operating system is instrumented at a platform level to log information regarding one or more of: resource accesses by applications, when applications are installed and executed, and network traffic  (Giura, Paragraph 0032 recites “Profiling engine 102, in addition to the foregoing, can also, on receiving network traffic data (e.g., log files from varied network devices, such as, authentication devices, firewall devices, proxy server devices, intrusion detection system devices, intrusion protection system devices, . . . ), can augment or correlate the network traffic data with records that provide details such as domain information, organization name, organization mailing address, contact information, records regarding dates the record was created, and if the record was changed/updated the date that the change was effectuated and/or became effective for each device included in the network traffic data.”).

	As per claim 10, Giura discloses the method of claim 1, Giura further discloses wherein the network traffic is logged while one or more users interact with at least one of the one or more applications directly in-person or remotely (Giura, Paragraph 0074 recites “Computer 1112 can operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1144. Remote computer(s) 1144 can be a personal computer, a server, a router, a network PC, cloud storage, cloud service, a workstation, a microprocessor based appliance, a peer device, or other common network node and the like, and typically includes many or all of the elements described relative to computer 1112.”).

Regarding claims 12 and 17, claims 12 and 17 are directed to a device and a non-transitory readable medium associated with the method of claim 1. Claims 12 and 17 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claims 13 and 18, claims 13 and 18 are directed to a device and a non-transitory readable medium associated with the method of claim 2. Claims 13 and 18 are of similar scope to claim 2, and are therefore rejected under similar rationale.

Regarding claims 14 and 19, claims 14 and 19 are directed to a device and a non-transitory readable medium associated with the method of claim 3. Claims 14 and 19 are of similar scope to claim 3, and are therefore rejected under similar rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
	
Claims 4, 15 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Giura et al. (2018/0019932) in view of Ganame et al. (US 2017/0099312).

	As per claim 4, Giura discloses the method of claim 1, but fails to teach searching for a fingerprint in code of at least one of the one or more applications, wherein the fingerprint is text that has determined to be used in code of an application that circumvents permissions; identifying those of the at least one of the one or more applications that include the fingerprint in its code as capable of circumventing permissions; and generating a report indicating the applications that were identified as capable of circumventing permissions.
	However, in an analogous art Ganame teaches searching for a fingerprint in code of at least one of the one or more applications, wherein the fingerprint is text that has determined to be used in code of an application that circumvents permissions; identifying those of the at least one of the one or more applications that include the fingerprint in its code as capable of circumventing permissions; and generating a report indicating the applications that were identified as capable of circumventing permissions (Ganame, Paragraph 0014 recites “ [0014] at least one knowledge database for storing data about said behaviour of the computer network and at least one signature element of a known malware, each knowledge database providing stored data to each learning module and analysis module;”).
	It would have been obvious to a person of ordinary skill in the art, prior to the earliest effective filing date to use Ganame’s Method And System For Data Breach And Malware Detection with Giura’s Enterprise server behavior profiling because the use of storing fingerprint/signature of known malicious behavior to prevent any future attacks.

Regarding claims 15 and 20, claims 15 and 20 are directed to a device and a non-transitory readable medium associated with the method of claim 4. Claims 15 and 20 are of similar scope to claim 4, and are therefore rejected under similar rationale.

Claims 5, 8 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Giura et al. (2018/0019932) in view of Karta et al. (US 2013/0305369).

	As per claim 5, Giura discloses the method of claim 1, but fails to teach wherein the permission-protected data includes one or more of: an international mobile equipment identity (IMEI) of a computing device, a media access control (MAC) address of a computing device, a MAC address of a router connected to a computing device, and a geolocation of a computing device.
	However, in an analogous art Karta teaches wherein the permission-protected data includes one or more of: an international mobile equipment identity (IMEI) of a computing device, a media access control (MAC) address of a computing device, a MAC address of a router connected to a computing device, and a geolocation of a computing device (Karta, Paragraph 0067 recites “At the next step, mobile device 102, which contains the zCore 106 sub-module, prevents the attack 107 and reports to the cloud servers 101 with a threat response message 108, containing various fields and variables, including for example, the attack time, attack type, attack location, MAC address of attacker (such as attacker 103), MAC address of compromised network, BSSID, SSID, GPS coordinates, geo IP location, and other parameters describing penetration attempts. Cloud Servers 101 receive one or more threat reports 108 from mobile device 102, that the network might be compromised.”).
	It would have been obvious to a person of ordinary skill in the art, prior to the earliest effective filing date to use Karta’s detection of threats to networks, based on geographic location with Giura’s Enterprise server behavior profiling because the use of knowing what data has been breached, is important to know when trying to remedy the situation to know what information has been taken.

	As per claim 8, Giura discloses the method of claim 6, but fails to teach wherein the mobile operating system is instrumented at a kernel level to log information regarding one or more of: resource accesses by applications, when applications are installed and executed, and network traffic.
	However, Karta explicitly teaches a kernel teach wherein the mobile operating system is instrumented at a kernel level to log information regarding one or more of: resource accesses by applications, when applications are installed and executed, and network traffic (Karta, Paragraph 0064 recites “The zCore Kernel extension exposes a kernel level API to the firmware. This is used to pass functions and operations from the application level to the lower levels, i.e. to the kernel and hardware. The zCore API may be used by 3rd party applications.”).
	It would have been obvious to a person of ordinary skill in the art, prior to the earliest effective filing date to use Karta’s detection of threats to networks, based on geographic location with Giura’s Enterprise server behavior profiling because the use of knowing where in the system the breach occurred is important information to know to help remedy the situation.

	Regarding claim 16, claim 16 is directed to a similar non-transitory machine-readable storage associated with the method of claim 5 respectively. Claim 16 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. 

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Giura et al. (2018/0019932) in view of Ramanath et al. (US 10,341,215).

	As per claim 9, Giura discloses the method of claim 1, but fails to teach wherein the network traffic is logged while user interactions are being simulated on at least one of the one or more applications.
	However, in an analogous art Ramanath wherein the network traffic is logged while user interactions are being simulated on at least one of the one or more applications (Ramanath, Claim 2 recites “wherein each of the plurality of network traffic patterns comprises network traffic activity associated with an execution of simulated user actions associated with the one or more applications.”).
	It would have been obvious to a person of ordinary skill in the art, prior to the earliest effective filing date to use Ramanath’s Methods, Systems, And Computer Readable Media For Emulating Network Traffic Patterns On A Virtual Machine with Giura’s Enterprise server behavior profiling because the use of logging information even if being simulated, would be good information to have when performing behavioral profiling.

Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Giura et al. (2018/0019932) in view of Sarin et al. (US  2020/0082081).

	As per claim 11, Giura discloses the method of claim 1, but fails to teach identifying those of the one or more applications that accessed permission-protected data but were not found causing the accessed permission-protected data to be transmitted as potentially obfuscating data; and generating a report indicating the applications that were identified as potentially obfuscating data.
	However, in an analogous art Sarin teaches identifying those of the one or more applications that accessed permission-protected data but were not found causing the accessed permission-protected data to be transmitted as potentially obfuscating data; and generating a report indicating the applications that were identified as potentially obfuscating data (Sarin, Paragraph 0045 recites “identification module 112 may identify a request by the potentially suspicious operation to open a file 122 on computing device 202. Additionally or alternatively, identification module 112 may identify a request by the potentially suspicious operation to read a file 122. In one example, a request to read a file 122 by a potentially suspicious operation may be to search for sensitive information to be exfiltrated. Additionally or alternatively, identification module 112 may identify a request by the potentially suspicious operation to write to a file 122 on computing device 202. In one example, a request to write to a file 122 by a potentially suspicious operation may be for encrypting, obfuscating, and/or removing sensitive information from computing device 202. Additionally or alternatively, identification module 112 may identify a request by the potentially suspicious operation to delete a file 122 on computing device 202.”).
	It would have been obvious to a person of ordinary skill in the art, prior to the earliest effective filing date to use Sarin’s systems and methods for threat and information protection through file classification with Giura’s Enterprise server behavior profiling because the use of obfuscating data, in the event of potentially suspicious operations, would be helpful to mitigate more data from being compromised.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439