DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 01/15/2021 and claiming foreign priority to 01/17/2020. Claims 1-20 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/29/2021 was filed before the mailing date of the office action on 08/17/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-6, and 12-17, drawn to first species, classified in figure 2 of the drawings.
II. Claims 7-11 and 18-20, drawn to second species, classified in figure 3 of the drawings.
During a telephone conversation with ANN MCCOY (Attorney, Reg. No. 46077) on 08/10/2022 a provisional election was made WITHOUT traverse to prosecute the invention of first species, claims 1-6, and 12-17.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 7-11 and 18-20 withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Claim Interpretation
It is observed that the pending claims recite a term which is not standard in the art. Nonetheless, applicant appeared to have acted as their own lexicographer as the term is defined in the specification and as such, when interpreting the claims, the term is limited by the definition provided in the specification. For example, “abnormal terminal relationship” was defined in paragraph 0105 of the specification in terms of relationships between the target terminal and a terminal whose IP address indicates the destination IP address when the destination port number in the packet is a preset risky port (abnormal). Based on the specification, the number of abnormal terminal relationships is interpreted as anomaly/abnormal occurrence counts in the network system.
“Risky ports” also known as “vulnerable ports” is well- known term in the art. They are ports that are vulnerable to one form of attack or the other and through them, malware or virus can propagate or spread to other terminals or hosts in the network. A non-limiting example of risky ports include 15, 16, 17,70, 80, 135,139,445, 449, 1012, 1027, 3389 etc.  For example Tufin, a security policy company defines risky ports as commonly-used ports exposed to the internet which could leave one’s assets open to attack and are considered high risk ports (https//forum.tufin.com).
 	For the purpose of the examination of the present application, vulnerable ports are considered risky ports.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4-6, 12-13, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20090044276 to Abdel-Aziz et al. (hereinafter Abdel-Aziz) in view of NPL “Unveiling Malicious Activities in LAN with Honeypot” to Zhiqing et al. (hereinafter Zhiqing).

Regarding claim 1, Abdel-Aziz discloses a method for suppressing virus propagation in a local area network (LAN), being applicable to a forwarding device (“a method and apparatus for detecting propagation of malware…”, ¶0002), comprising: 
in response to receiving an address resolution protocol (ARP) packet initiated by a target terminal (“an ARP response”, ¶0033) determining whether a number of interacting terminals in the LAN that have perform ARP interaction with the target terminal (“…NE 310 may be equipped with ARP counters for counting the ARP requests (queries) and responses, respectively…”) reaches a first preset threshold (“…preset limits corresponding to each count value…”, ¶0031); 
in response to that the number of interacting terminals reaches the first preset threshold, determining whether a number of abnormal terminal relationships corresponding to the target terminal reaches a second preset threshold (“…the attack ID logic 323 compares the counter values against the limits. If any limits were exceeded, an attack is declared (642)…”, ¶0092), 
wherein for one of the number of abnormal terminal relationships, the target terminal performs interaction with other terminal in the LAN by sending a first service packet of which a destination port belongs to preset risky ports (“Header data processing unit 1014 monitors the packets seen on the port 1012 and examines the data in various fields of the packets header with a view to determine the packet type and to identify the source and destination of the packet”, ¶0118, wherein port 1012 is one of the preset risky ports from where virus, trojan other threats can propagate or spread to other network terminals or equipment),  
and in response to that the number of abnormal terminal relationships reaches the second preset threshold, providing protection to the target terminal so to suppress virus propagation in the LAN (“…If any threshold is exceeded, the corresponding client device 30 may be advantageously isolated for further analysis or other remedial action via the attack containment logic 46”, ¶0036).  
	However, Abdel-Aziz does not explicitly disclose the following limitation taught by Zhiqing :
and the first service packet corresponds to a service packet sent to the other terminal by the target terminal immediately after acquiring a media access control (MAC) address of the other terminal by performing the ARP interaction with the other terminal 
Zhiqing discloses malware that broadcast ARP request to lookup MAC address in order to propagate into other hosts in the network (“In order to propagate into other hosts or steal important information from its databases in a LAN, malware tries to find open TCP ports from all the hosts in the network. In this process, it broadcasts ARP requests to lookup the MAC address from all the IP addresses one-by-one, which we call ARP scan, in this paper. Then, it sends TCP SYNs to potentially available ports, which is TCP port scan. If it gets TCP SYN+ACK from the target host, it means that the TCP port is open”, page 179, left col. Lines 42-45, page 179, right col. Lines 1-5, wherein the TCP SYN is the first service packet).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Abdel-Aziz to include the concept of malware sending ARP request to acquire the MAC address of other terminal in order to propagate itself into other host/terminals as disclosed by Zhiqing and will be motivated in doing so because in order to differentiate between vulnerability test and malware attacks happening in Local Area Network system and to warn the network administrator with higher priority in case of malware attacks- Zhiqing abstract in parts.

Regarding claim 2, Abdel-Aziz in view of Zhiqing discloses the method of claim 1. Abdel-Aziz further discloses the method of claim 1 further comprising: updating the number of interacting terminals based on the ARP packet (“an ARP_query_in packet will update an ARP_query_in counter 315, an ARP_response_out packet will update the ARP ARP_response_out counter, etc…”, ¶0048).  

Regarding claim 4, Abdel-Aziz in view of Zhiqing discloses the method of claim 1. Abdel-Aziz further discloses further comprising: Page 43 - APPLICATION; Docket No. KEW21301
in response to receiving the first service packet, determining whether a destination port number carried in the first service packet indicates one of the preset risky ports (“data processing unit 1014 monitors the packets seen on the port 1012 and examines the data in various fields of the packets header with a view to determine the packet type and to identify the source and destination of the packet…”, ¶0118, wherein port 1012 represents the risky ports that can be used to propagate the attack/virus) and (“address data may be the destination IP address, or the destination IP address and destination port number or a combination of these”, ¶0119); 
and in response to that the destination port number carried in the first service packet indicates one of the preset risky ports, updating the number of abnormal terminal relationships (“The source address and packet type may be used to identify the appropriate destinations estimating unit 16 to be updated for the current packet seen on port 1012...”, ¶0119).  
NB risky ports are commonly-used ports exposed to the internet and are considered high risk. Port 1012 is vulnerable to Trojan, Doly Trojan and threat.

Regarding claim 5, Abdel-Aziz in view of Zhiqing discloses the method of claim 1. 
Abdel-Aziz further discloses wherein the ARP packet comprises: an ARP request packet; and/or an ARP response packet (“The exemplary header data processing logic 22, moreover, is operative to classify each PDU 17 by type for any combination of the following PDU types: i) an ARP request, ii) an ARP response…”, ¶0033).  

Regarding claim 6, Abdel-Aziz in view of Zhiqing discloses the method of claim 1. 
Abdel-Aziz further discloses wherein the first service packet comprises: a transmission control protocol (TCP) packet; and/or a user datagram protocol (UDP) packet (“PDUs include data units formatted according to various transmission protocols, such as IP packets, TCP packets, frames, etc., ¶0027).   

Regarding claim 12, Abdel-Aziz disclose a forwarding device in a LAN, comprising: a processor; a memory for storing program instructions (executable instructions, ¶0027) that are executable by the processor to perform operations comprising: 
in response to receiving an address resolution protocol (ARP) packet initiated by a target terminal (“an ARP response”, ¶0033), determining whether a number of interacting terminals in the LAN that have perform ARP interaction with the target terminal (“…NE 310 may be equipped with ARP counters for counting the ARP requests (queries) and responses, respectively…”) reaches a first preset threshold (“…preset limits corresponding to each count value…”, ¶0031);  
in response to that the number of interacting terminals reaches the first preset threshold, determining whether a number of abnormal terminal relationships corresponding to the target terminal reaches a second preset threshold (“…the attack ID logic 323 compares the counter values against the limits. If any limits were exceeded, an attack is declared (642)…”, ¶0092), 
wherein for one of the number of abnormal terminal relationships, the target terminal performs interaction with other terminal in the LAN by sending a first service packet of which a destination port belongs to preset risky ports, (“Header data processing unit 1014 monitors the packets seen on the port 1012 and examines the data in various fields of the packets header with a view to determine the packet type and to identify the source and destination of the packet”, ¶0118, wherein port 1012 is one of the preset risky ports from where virus, trojan other threats can propagate or spread to other network terminals or equipment),  
and in response to that the number of abnormal terminal relationships reaches the second preset threshold, providing protection to the target terminal so to suppress virus propagation in the LAN (“…If any threshold is exceeded, the corresponding client device 30 may be advantageously isolated for further analysis or other remedial action via the attack containment logic 46”, ¶0036).  
However, Abdel-Aziz does not explicitly disclose the following limitation taught by Zhiqing: 
and the first service packet corresponds to a service packet sent to the other terminal by the target terminal immediately after acquiring a media access control (MAC) address of the other terminal by performing the ARP interaction with the other terminal
Zhiqing discloses malware that broadcast ARP request to lookup MAC address in order to propagate into other hosts in the network (“In order to propagate into other hosts or steal important information from its databases in a LAN, malware tries to find open TCP ports from all the hosts in the network. In this process, it broadcasts ARP requests to lookup the MAC address from all the IP addresses one-by-one, which we call ARP scan, in this paper. Then, it sends TCP SYNs to potentially available ports, which is TCP port scan. If it gets TCP SYN+ACK from the target host, it means that the TCP port is open”, page 179, left col. Lines 42-45, page 179, right col. Lines 1-5, wherein the TCP SYN is the first service packet) 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Abdel-Aziz to include the concept of malware sending ARP request to acquire the MAC address of other terminal in order to propagate itself into other host/terminals as disclosed by Zhiqing and will be motivated in doing so because in order to differentiate between vulnerability test and malware attacks happening in Local Area Network system and to warn the network administrator with higher priority in case of malware attacks- Zhiqing abstract in parts

 

Regarding claim 13, Abdel-Aziz in view of Zhiqing discloses the forwarding device of claim 12. 
Abdel-Aziz further discloses wherein the operations further comprises: updating the number of interacting terminals based on the ARP packet (“an ARP_query_in packet will update an ARP_query_in counter 315, an ARP_response_out packet will update the ARP ARP_response_out counter, etc…”, ¶0048).   

Regarding claim 15, Abdel-Aziz in view of Zhiqing discloses the forwarding device of claim 12. 
Abdel-Aziz further discloses wherein the operations further comprises: 
in response to receiving the first service packet, determining whether a destination port number carried in the first service packet indicates one of the preset risky ports (“data processing unit 1014 monitors the packets seen on the port 1012 and examines the data in various fields of the packets header with a view to determine the packet type and to identify the source and destination of the packet…”, ¶0118, wherein port 1012 is one of  the risky ports that can be  used to propagate the attack/virus) and (“address data may be the destination IP address, or the destination IP address and destination port number or a combination of these”, ¶0119); 
and in response to that the destination port number carried in the first service packet indicates one of the preset risky ports, updating the number of abnormal terminal relationships (“The source address and packet type may be used to identify the appropriate destinations estimating unit 16 to be updated for the current packet seen on port 1012...”, ¶0119).   
NB risky ports are commonly-used ports exposed to the internet and are considered high risk. Port 1012 is vulnerable to Trojan, Doly Trojan and threat.
 
Regarding claim 16, Abdel-Aziz in view of Zhiqing discloses the forwarding device of claim 12. 
Abdel-Aziz further discloses wherein the ARP packet comprises: an ARP request packet and/or an ARP response packet (“The exemplary header data processing logic 22, moreover, is operative to classify each PDU 17 by type for any combination of the following PDU types: i) an ARP request, ii) an ARP response…”, ¶0033). 
.  
Regarding claim 17, Abdel-Aziz in view of Zhiqing discloses the forwarding device of claim 12. 
Abdel-Aziz further discloses wherein the first one of service packets comprises: a TCP packet and/or a UDP packet (“PDUs include data units formatted according to various transmission protocols, such as IP packets, TCP packets, frames, etc., ¶0027).  
 
Allowable Subject Matter
Claims 3 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
 


Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure CN 110266668 A, U.S PGPub. No 20190104127.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495