DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
Claim 15 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 15 recites the limitation "said covert payloads" in line 2.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-16 and 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite monitoring activity of a portion of the IP network and identifying datagrams comprising error messages above a threshold. The steps of monitoring and identifying in the context of the claim can practically be performed in the mind. If a claim limitation, under its broadest reasonable interpretation this covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Metal Processes” grouping of abstract ideas. Applicant’s specification discloses the electronic devices may be general purpose (¶0053). Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because monitoring and identifying amount to mere data gathering and analysis, which is a form of insignificant extra-solution activity. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because monitoring and identifying errors that exceed a threshold is a well-known activity. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because identifying and determining a cause of the crash based on the collected data is a well-known activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Claims 2-16 provide additional limitations for identifying error messages. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because identifying and determining a number of errors based on a threshold is a well-known activity. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Claims 18-20 are rejected for the same reasons as listed above.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 6-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Gupta (US 2014/0173085).

As to claim 1, Gupta discloses a method for detecting covert payloads of data within an IP network, said method comprising the steps of: 
monitoring activity of at least a portion of the IP network for datagrams comprising error messages (¶0025); and 
identifying a selection of said datagrams comprising said error messages occurring with a regularity above a predetermined threshold (¶0027).

As to claim 6, Gupta discloses the method of claim 1 wherein: the network activity is monitored on a continual basis for a period of time (¶0053).

As to claim 7, Gupta discloses the method of claim 1 further comprising the steps of: generating a notification regarding said selection of said datagrams; and transmitting said notification to one or more remote devices (¶0038).

As to claim 8, Gupta discloses the method of claim 1 further comprising the steps of: identifying confederate hosts from destination address information in headers of said selection of said datagrams; and eliminating said confederate hosts from said IP network (¶0028).

As to claim 9, Gupta discloses the method of claim 1 further comprising the steps of: identifying a sub-selection of said selection of said datagrams comprising at least one additional factor selected from the group consisting of: a format identical to at least one prior one of said error messages within said monitored activity (¶0025); and arrival from a different address within the IP network than indicated in a source address of a header.

As to claim 10, Gupta discloses the method of claim 1 wherein: hosts of said IP network implement protocols complying with RFC 791 and RFC 792 (¶0025).

As to claim 11, Gupta discloses the method of claim 1 wherein: the error messages comprise ICMP error messages (¶0025).

As to claim 12, Gupta discloses the method of claim 1 wherein: said activity is monitored by a host of said IP network (¶0053).

As to claim 13, Gupta discloses the method of claim 12 further comprising the steps of: forwarding datagrams within said monitored activity to at least one remote device, wherein said selection of said datagrams are identified by said at least one remote device (¶0037).

As to claim 14, Gupta discloses the method of claim 12 wherein: said activity is monitored by each host of said IP network (¶0053).

As to claim 15, Gupta discloses the method of claim 1 further comprising the steps of: removing said covert payloads from said selection of said datagrams (¶0028).

As to claim 16, Gupta discloses the method of claim 15 further comprising the steps of: further monitoring said selection of said datagrams as transmitted within said IP network after removing (¶0028).

As to claim 17, Gupta discloses a method for detecting covert payloads of data within an IP network, said method comprising the steps of: 
monitoring activity at one or more hosts of the IP network for datagrams comprising error messages (¶0025); 
identifying a selection of said datagrams comprising said error messages as containing one of said covert payloads, wherein each of said selection of said datagrams comprise at least two factors selected from the group consisting of: 
said error messages of said selection of said datagrams occur with a regularity that is greater than a natural statistical average for the IP network with a margin of error; 
said error messages of said selection of said datagrams are formatted identically to at least one prior error message within said monitored activity (¶0025); and 
said error messages of said selection of said datagrams indicate arrival from a different address within the IP network than indicated in source addresses of headers of said error messages of said selection of said datagrams (¶0027); 
generating a notification indicating that said covert payloads of data are found within said IP network; 
altering said selection of said datagrams to remove said covert payloads (¶0025); and 
monitoring further transmission of said altered datagrams within said network (¶0025).

As to claim 18, Gupta discloses a system for detecting covert payloads of data within an IP network, said system comprising: a number of hosts, each respective host comprising one or more processors and one or more electronic storage devices comprising software instructions, which when executed, configure said one or more processors to: monitor error messages generated by said respective host in response to datagrams received at said respective host; and identifying any of said received datagrams resulting in generation of said error messages with a regularity above a predetermined threshold (¶0027).

As to claim 19, Gupta discloses the system of claim 18 further comprising: additional software instructions stored at said one or more electronic storage devices, which when executed, configure said one or more processors to further identify any of said identified datagrams also comprising at least one additional factor selected from the group consisting of: a format identical to at least one prior one of said error messages received at said receptive host (¶0025); and arrival from a different one of said receptive hosts within the IP network not matching an address provided by a source address of a header of said datagram.

As to claim 20, Gupta discloses the system of claim 18 further comprising: additional software instructions stored at said one or more electronic storage devices, which when executed, configure said one or more processors to: alter said identified datagrams to remove said covert payload; and monitor further transmission of said altered datagrams through at least a portion of said IP network (¶0025).

Allowable Subject Matter
Claims 2-5 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. All other rejections must be overcome.
As to claim 2-4 prior art fails to disclose the method of claim 1 wherein: said predetermined threshold comprises a natural statistical average for the IP network. This limitation in combination with the claim as a whole is patentably distinct over the prior art of record.
As to claim 5, prior art fails to disclose isolating said selection of said datagrams; and eliminating said selection of said datagrams from said IP network. This limitation in combination with the claim as a whole is patentably distinct over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Prior art Wong (US 9,203,755) discloses wherein a flow of packets sent from a server device over a TCP network to at least one endpoint device is identified, the endpoint device accessing the TCP network over a wireless access network. A message is identified from the endpoint device to the server device communicating an error condition relating to at least one packet in the flow. At least one processing device is used to predict that the error condition is based, at least in part, on a non-congestion-related condition (Abstract).
Prior art Huber (US 2008/0082661) disclose a network monitor autonomously determines the functional states of a plurality of network monitoring agents loaded on a plurality of network elements. The network monitor sends a query to each network monitoring agent. In response to a query, a network monitoring agent sends a reply back to the network monitor. The reply reports the functional state of the network monitoring agent, operational or non-operational. If the network monitor does not receive a reply back within a timeout interval, it determines that the functional state of the network monitoring agent is non-operational (Abstract).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHARLES EHNE whose telephone number is (571)272-2471. The examiner can normally be reached 8:00-5:00 M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on 571-272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHARLES EHNE/               Primary Examiner, Art Unit 2113