Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detail Action
This office action is response to the application 17/472,464 filed on 09/10/2021. Claims 1-16 are pending in this communication.

Priority
This application claims priority from 15/885,388 01/31/2018 PAT 11159538. Priority date has been accepted.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 09/10/2021, 01/03/2022 & 09/30/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner. 

Examiner’s Note
The examiner is requesting the applicant’s representative to provide direct phone number and email address in next communication, which will be very helpful to advance the prosecution.
Generally the text that are italicized are claims; the text that are in bold are reference citations (with some obvious exception); the text which is neither italicized nor bolded are by the examiner.
The Examiner used figures, paragraph and line numbers from the instant application’s pre-grant publication or pdf copy of allowance. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 16 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter software, per se.
Regarding claim 16; the claim calls for a computer program product; however, there is no hardware element found within the claimed computer program product.  The specification does not explicitly define that the claimed computer program product is only implemented in hardware. The specification recites in [0013] “a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.“ One of ordinary skill in the art would understand that a ‘processor’ could be a software processor (See “The Authoritative Dictionary of IEEE Standards Terms,” Seventh Edition, published in 2000).  The recited “computer readable storage medium” encompasses transitory media such as signals or carrier waves, where, as here the Specification does not limit the computer readable storage medium to non-transitory forms.  See Ex parte Mewherter, 107 USPQ2d 1857, 1862.   As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  The nominal recitation of the computer program product in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101.  See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010).    The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101. This rejection could be overcome by including language like ‘non-transitory storage media’, ‘hardware processor’ or ‘processor coupled to memory’ etc.


Claim Rejections - 35 USC § 103
The following is a quotation of AIA  35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8, 11, 13, 15 and 16 are rejected under AIA  35 U.S.C. 103 as being unpatentable over CHARI; Suresh N. et al., Pub. No.: US 2015/0326594 A1 in view of VASANT; Sachin et al., Pub. No.: US 2017/0155562 A1.

Regarding Claim 1, CHARI discloses a system, comprising:
a processor configured {[0044], “The computer readable storage medium (or media), being a tangible, non-transitory, storage medium having instructions recorded thereon for causing a processor circuit to perform a method”} to:
receive a malware profile, wherein the malware profile … that describe one or more activities associated with executing a copy of a known malicious application that is associated with the malware profile {Fig. 3 step 56 & [0037], “The system 20 (Fig. 2) may also detect … data profiles, hacking profiles, unauthorized file sharing profiles, and other types of data indicating unauthorized or inappropriate network usage”};
analyze a set of one or more logs for a set of entries that matches the malware profile {[0015], “the system 20 logs, analyzes and responds to network traffic from the user-supplied device 12 to local resources 24 as well as third-party resources accessed over the Internet 18 via the gateway 26. … the system 20 detects and records a device inventory 21 including the device type and version(s) of the applications and operating systems utilized. The system 20 also detects and records a network activity profile 23 for the device including the timing and frequency of resources accessed, data uploaded and downloaded, specific data commands”};
determine, based at least in part on identifying the set of entries as matching the malware profile, that a host was compromised {Fig. 3 & [0034], “The system 20 may track access patterns, keystrokes and other inputs to identify anomalous and inappropriate network traffic that does not match known or authorized application access patterns as an indication of an increased security risk” … [0037], “In block 53, the system 20 detects high-risk network activity by tracking and analyzing resources accessed, content accessed or provided, and other access parameters”}; and
in response to determining that the host has been compromised, take a remedial action with respect to the host {Fig. 3 & [0039], “In block 54, the system 20 implements appropriate response actions that may involve one or more of network security measures including, but not limited to, user notification, disconnection of the device from the network, implementing corrective action on the network and/or device, and notification of others”}; and
a memory coupled to the processor and configured to provide the processor with instructions {[0044], “The computer readable storage medium (or media), being a tangible, non-transitory, storage medium having instructions recorded thereon for causing a processor circuit to perform a method”}.
CHARI, however, does not explicitly disclose
… malware profile that comprises a set of n-tuples of attributes … 
In an analogous reference VASANT discloses
… malware profile that comprises a set of n-tuples of attributes {ABS., “A network management entity is configured to communicate with one or more network security devices … to store in a respective event queue an event for each attempt to access a network … “ … claim 5: “wherein each event represents the destination as a tuple having destination attributes in corresponding attribute positions of the tuple, and the determining the top destinations includes: generating a hierarchical dataset of the tuples and generalized tuples that coalesce two or more tuples having identical attributes in corresponding ones of the attribute positions; and identifying the top destinations as tuples and generalized tuples in the hierarchical data set based on numbers of occurrences of each tuple in the collected events”} …
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify CHARI’s technique as modified by VASANT of ‘creating a benchmark of malware profile of a data network, analyzing log related to the malware profile and taking remediating actions’ for ‘collecting multiple tuple of attributes of data of network security event’, as taught by VASANT, in order to profiling and remediating data traffic. The motivation is - the goal of malware analysis is to gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization's network and reduce network interruption, business reputation and financial burden.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 

Regarding Claim 2, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein the set of logs comprises entries associated with a plurality of hosts and wherein analyzing the set of logs includes performing, for each respective host included in the plurality of hosts, a search {CHARI: [0015], “the system 20 logs, analyzes and responds to network traffic from the user-supplied device 12 to local resources 24 as well as third-party resources accessed over the Internet 18 via the gateway 26. … the system 20 detects and records a device inventory 21 including the device type and version(s) of the applications and operating systems utilized. The system 20 also detects and records a network activity profile 23 for the device including the timing and frequency of resources accessed, data uploaded and downloaded, specific data commands.” Examiner’s note: the system looks or searches for all devices in the inventory with device types and versions}.

Regarding Claim 3, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein identifying that the set of entries matches the malware profile comprises determining a subsequence match {CHARI: Fig. 3 & [0034], “The system 20 may track access patterns, keystrokes and other inputs to identify anomalous and inappropriate network traffic that does not match known or authorized application access patterns as an indication of an increased security risk” … [0037], “In block 53, the system 20 detects high-risk network activity by tracking and analyzing resources accessed, content accessed or provided, and other access parameters”}.

Regarding Claim 4, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein the processor is further configured to transmit a copy of a sample to a security platform for analysis {CHARI: [0010], “The system 20 includes or interfaces with supporting data components, including a log of device inventory profiles 21, a log of inventory activity profiles 23, a log of malware definitions 25, a log of high-risk activity profiles 27, and other data repositories and heuristic data analysis tools”}.

Regarding Claim 5, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein the malware profile is received from the security platform {CHARI: [0010], “The system 20 includes or interfaces with supporting data components, including a log of device inventory profiles 21, a log of inventory activity profiles 23, a log of malware definitions 25, a log of high-risk activity profiles 27, and other data repositories and heuristic data analysis tools”}.

Regarding Claim 6, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein the malware profile is received in response to the security platform determining that the sample is malicious {CHARI: [0016], “The system 20 may also detect and block access to sites and downloads that have known malware or exhibit malicious behavior”}.

Regarding Claim 7, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein analyzing the set of one or more logs is performed in response to receipt of the malware profile {CHARI: [0016], “The network data collecting and response system 20 may also monitor, analyze, and respond to unauthorized network use and other security risks in real time”}.

Regarding Claim 8, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein the malware profile is generated at least in part by abstracting a capture of network activity associated with the execution of the known malicious application into a set of network activities taken by the known malicious application {CHARI: [0016], “This typically includes monitoring which applications are used concurrently or in close temporal proximity and assessing the risks of data leakage, corruption and unauthorized use posed to the organization based on specific resources, combinations of resources, and data flows accessed by the device 12”}.

Regarding Claim 11, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein at least one activity included in the set of activities taken by the known malicious application comprises service probing {CHARI: [0037], “In block 53, the system 20 detects high-risk network activity by tracking and analyzing resources accessed, content accessed or provided, and other access parameters”}.

Regarding Claim 13, CHARI as modified by VASANT discloses all the features of claim 1. The combination further discloses
 wherein at least one activity included in the set of activities taken by the known malicious application comprises a local action taken by the known malicious application {CHARI: [0009], “which further provides the device with access to local resources 24 on the LAN and external resources on the Internet 18 through a gateway 26. The data collection and response system 20 monitors, tracks, controls and limits the device's access to the network to identify and respond to unauthorized, inappropriate, and high-risk network activity”}.

Regarding claim 15, claim 15 is claim to a method using the system of claim 1. Therefore, claim 15 is rejected for the reasons set forth for claim 1.

Regarding claim 16, claim 16 is claim to a computer program product using the system of claim 1. Therefore, claim 16 is rejected for the reasons set forth for claim 1.

Claims 9, 10 & 12 are rejected under AIA  35 U.S.C. 103 as being unpatentable over CHARI; Suresh N. et al., Pub. No.: US 2015/0326594 A1 in view of VASANT; Sachin et al., Pub. No.: US 2017/0155562 A1 and further in view of MOORE; Sean et al., Pat. No.: US 10,862,909 B2.

Regarding Claim 9, CHARI as modified by VASANT discloses all the features of claim 1. The combination however does not disclose
 wherein the malware profile is further generated at least in part by removing network activity coincident to the execution of the known malicious application.
In an analogous reference MOORE discloses
wherein the malware profile is further generated at least in part by removing network activity coincident to the execution of the known malicious application {ABS. & col. 3 lines 56-61, “When an overload condition is detected, some policy management servers may direct some packet security gateways to enforce a first set of policies. Policies in this first set may contain rules that block all packets except for packets associated with protocols and applications that are necessary for the Internet and critical Internet applications to operate”}.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify CHARI’s technique as modified by VASANT of ‘creating a benchmark of malware profile of a data network, analyzing log related to the malware profile and taking remediating actions for collecting multiple tuple of attributes of data of network security event’ for ‘filtering out network supporting protocol traffic that is not relevant for malware remediation analysis’ as taught by MOORE. The motivation is to reduce data load for analysis, reduce processing and storage resources and develop effective malware prevention system.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 

Regarding Claim 10, CHARI as modified by VASANT & MOORE discloses all the features of claim 1. The combination however does not disclose
 wherein at least one network activity removed comprises at least one of NTP activity, NETBIOS activity, and IGMP activity.
The combination further discloses
wherein at least one network activity removed comprises at least one of NTP activity, NETBIOS activity, and IGMP activity {MOORE: col. 3 lines 60-64, “Policies in this first set may contain rules that block all packets except for packets associated with protocols and applications that are necessary for the Internet and critical Internet applications to operate. These protocols and applications may include, for example, … the Network Time Protocol (NTP). Examiner’s note: network supporting traffic like NTP is filtered out to reduce load and irrelevancy if malware prevention policy dictates, here NTP traffic is filtered to reduce computing resource for malware intrusion data}.

Regarding Claim 12, CHARI as modified by VASANT discloses all the features of claim 1. The combination however does not disclose
 wherein at least one activity included in the set of activities taken by the known malicious application comprises a denial of service activity.
MOORE further discloses
wherein at least one activity included in the set of activities taken by the known malicious application comprises a denial of service activity {col. 7 line 65 - col. 8 line 3, “Overload conditions may also be caused by one or more malicious agents. An overload condition that is caused by malicious agents may be a DoS attack. In a DoS attack, a logical network, or botnet, of malicious agents, or bots, may generate attack packet traffic when a so-called command-and-control agent directs the bots to launch an attack”}.

Claims 14 is rejected under AIA  35 U.S.C. 103 as being unpatentable over CHARI; Suresh N. et al., Pub. No.: US 2015/0326594 A1 in view of VASANT; Sachin et al., Pub. No.: US 2017/0155562 A1 and further in view of RAFF; Aviv et al., Pub. No.: US 2015/0381637 A1.

Regarding Claim 14, CHARI as modified by VASANT discloses all the features of claim 1. The combination however does not explicitly disclose
 wherein the malware profile corresponds to a malware family and wherein the known malicious application shares the malware profile with a plurality of malicious applications that are members of the malware family.
In an analogous reference RAFF discloses
wherein the malware profile corresponds to a malware family and wherein the known malicious application shares the malware profile with a plurality of malicious applications that are members of the malware family {[0072], “profile malware attacks that are tough to detect in a single client network deployment may be detected by aggregating evidence from a plurality of organizations over time” … [0076], “providing extensive coverage of many malware family types, regardless of their characteristics and methods of infection based upon log based analysis using a plurality of log files associated with various business units and customers and product vendors”}.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify CHARI’s technique as modified by VASANT of ‘creating a benchmark of malware profile of a data network, analyzing log related to the malware profile and taking remediating actions for collecting multiple tuple of attributes of data of network security event’ for to ‘organize malware data analysis and remediation by malware family’ as taught by RAFF in order to narrow down search and target remediation objective. The motivation is to improve efficiency of malware detection and remediation and not miss an unknown malware from a known malware family.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUAZI FAROOQUI whose telephone number is (571) 270-1034. The examiner can normally be reached on M-F 8:30AM-5:00PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B. Patel can be reached on 571-272-3972. The fax phone number for Examiner Farooqui assigned is 571-270-2034.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-flee). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/QUAZI FAROOQUI/
Primary Examiner, Art Unit 2491