Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This office action is in response to communication filed on 07/23/2021.

3.	Status of claims in the instant application:
Claims 1-19 are pending.

Drawings
4.	The drawings filed on 07/23/2021 are acceptable for examination proceedings.

Specification
5.	The specification filed on 07/23/2021 is acceptable for examination proceedings.

Priority
6.	Application 17384431, filed 07/23/2021 is a continuation of 16398503, filed 04/30/2019, now U.S. Patent #11108790. Therefore, the effective filling date for the subject matter defined in the pending claims of this application is April 30, 2020.		


Information Disclosure Statement
7.	Information Disclosure Statements (IDS) filed on 07/23/2021 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Internet Communications
8. 	Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439,
http://www.uspto.gov/sites/defauit/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only. (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03. 

Double Patenting
9.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

10.	Claim1-19 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 11,108,790 in view of Katmor et al. (US Pub. No. US 2016/0149967 A1). Although the conflicting claims are not identical, they are not patentably distinct from each other because of the following mapping between the claims of the present application and the ‘790 patent:
‘790 US Patent
Instant / current application No. 17/384,431
1. A method for detecting malicious activity on a network, the method comprising: gathering data regarding a first state of a computing environment; 
executing at least one attack tool in the computing environment to simulate malicious activity; 
gathering data regarding a second state of the computing environment after the at least one attack tool is executed; 
detecting at least one trace of the malicious activity from the data regarding the second state of the computing environment by comparing the data regarding the second state of the environment to the data regarding the first state of the computing environment; 
and autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.
1. A method for detecting malicious activity on a network, the method comprising: 
gathering data regarding a first state of a computing environment; 
executing at least one attack tool in the computing environment to simulate malicious activity; 
gathering data regarding a second state of the computing environment after the at least one attack tool is executed; 
detecting at least one trace of the malicious activity from the data regarding the second state of the computing environment; 

and autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.  

2. The method of claim 1 wherein the computing environment is a sandbox environment.
2. The method of claim 1 wherein the computing environment is a sandbox environment.  
3. The method of claim 1 further comprising detecting at least one difference between the first state of the computing environment and the second state of the computing environment based on the comparison, the at least one difference being the at least one trace of the malicious activity.
3. The method of claim 1 wherein detecting the at least one trace comprises comparing the data regarding the second state of the computing environment to the data regarding the first state of the computing environment to detect at least one difference between the first state of the computing environment and the second state of the computing environment, the at least one difference being the at least one trace of the malicious activity.  
4. The method of claim 1 further comprising monitoring future network activity to detect activity matching the at least one generated signature, wherein activity matching the at least one generated signature indicates malicious activity.
4. The method of claim 1 further comprising monitoring future network activity to detect activity matching the at least one generated signature, wherein activity matching the at least one generated signature indicates malicious activity.  
5. The method of claim 4 further comprising issuing an alert using a user interface upon detecting activity matching the at least one generated signature.
5. The method of claim 4 further comprising issuing an alert using a user interface upon detecting activity matching the at least one generated signature.
6. The method of claim 1 wherein the signature is defined by at least one signature parameter, and the method further includes receiving a recommendation to adjust at least one signature parameter to adjust the number of generated alerts regarding detected malicious activity.
6. The method of claim 1 wherein the signature is defined by at least one signature parameter, and the method further includes receiving a recommendation to adjust at least one parameter to adjust the number of generated alerts regarding detected malicious activity.  
7. The method of claim 1 wherein the attack tool is defined by at least one attack parameter, and the method further includes autonomously adjusting the at least one attack parameter to generate a variance in the at least one trace of malicious activity and in the at least one generated signature.
7. The method of claim 1 wherein the attack tool is defined by at least one attack parameter, 5and the method further includes autonomously adjusting the at least one attack parameter to generate a variance in the at least one trace of malicious activity and in the at least one generated signature.
8. The method of claim 1 wherein the at least one trace includes at least one of a modified registry key, a modified file system access permission, a modified write access permission, a modified process, a modified file, and a dropped file.
8. The method of claim 1 wherein the at least one trace includes at least one of a modified registry key, a modified file system access permission, a modified write access permission, a modified process, a modified file, and a dropped file.  
9. The method of claim 1 further comprising validating the generated signature against a historical dataset of signatures to determine whether the generated signature is associated with an anomalous amount of malicious activity compared to the historical dataset.
9. The method of claim 1 further comprising validating the generated signature against a historical dataset of signatures to determine whether the generated signature is associated with an anomalous amount of malicious activity compared to the historical dataset.  
10. A system for detecting malicious activity on a network, the system comprising: at least one attack tool configured to simulate malicious activity; and a virtual security appliance configured to execute instructions stored on memory to: gather data regarding a first state of a computing environment before the attack tool simulates the malicious activity, gather data regarding a second state of the computing environment after the attack tool simulates the malicious activity; detect at least one trace of the malicious activity from the data regarding the second state of the computing environment by comparing the data regarding the second state of the environment to the data regarding the first state of the computing environment, 
and autonomously generate at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.
10. A system for detecting malicious activity on a network, the system comprising: at least one attack tool configured to simulate malicious activity; and a virtual security appliance configured to execute instructions stored on memory to: gather data regarding a first state of a computing environment before the attack tool simulates the malicious activity, gather data regarding a second state of the computing environment after the attack tool simulates the malicious activity; detect at least one trace of the malicious activity from the data regarding the second state of the computing environment, 
and autonomously generate at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.  
11. The system of claim 10 wherein the computing environment is a sandbox environment.
11. The system of claim 10 wherein the computing environment is a sandbox environment.  
12. The system of claim 10 wherein the virtual security appliance detects the at least one difference between the first state of the computing environment and the second state of the computing environment based on the comparison, the at least one difference being the at least one trace of the malicious activity.
12. The system of claim 10 wherein the virtual security appliance detects the at least one trace by comparing the data regarding the second state of the computing environment to the data regarding the first state of the computing environment to detect at least one difference between the first state of the computing environment and the second state of the computing environment, the at least one difference being the at least one trace of the malicious activity.  
13. The system of claim 10 wherein the virtual security appliance is further configured to monitor future network activity to detect activity matching the at least one generated signature, wherein activity matching the at least one generated signature indicates malicious activity.
13. The system of claim 10 wherein the virtual security appliance is further configured to monitor future network activity to detect activity matching the at least one generated signature, wherein activity matching the at least one generated signature indicates malicious activity.  
14. The system of claim 13 further comprising a user interface configured to issue an alert upon the virtual security appliance matching the at least one generated signature.
14. The system of claim 13 further comprising a user interface configured to issue an alert upon the virtual security appliance matching the at least one generated signature.  
15. The system of claim 10 wherein the signature is defined by at least one signature parameter, and the virtual security appliance is configured to receive a recommendation to adjust at least one signature parameter to adjust the number of generated alerts regarding detected malicious activity.
15. The system of claim 10 wherein the signature is defined by at least one signature parameter, and the virtual security appliance is configured to receive a recommendation to adjust at least one signature parameter to adjust the number of generated alerts regarding detected malicious activity.  
16. The system 10 wherein the attack tool is defined by at least one attack parameter, and the virtual security appliance is further configured to autonomously adjust the at least one attack parameter to generate a variance in the at least one trace of malicious activity and in the at least one generated signature.
16. The system 10 wherein the attack tool is defined by at least one attack parameter, and the virtual security appliance is further configured to autonomously adjust the at least one attack parameter to generate a variance in the at least one trace of malicious activity and in the at least one generated signature.  
17. The system of claim 10 wherein the at least one trace includes at least one of a modified registry key, a modified file system access permission, a modified write access permission, a modified process, a modified file, and a dropped file.

17. The system of claim 10 wherein the at least one trace includes at least one of a modified registry key, a modified file system access permission, a modified write access permission, a modified process, a modified file, and a dropped file.  
18. The system of claim 10 wherein the virtual security appliance is further configured to validate the generated signature against a historical dataset of signatures to determine whether the generated signature is associated with an anomalous amount of malicious activity compared to the historical dataset.
18. The system of claim 10 wherein the virtual security appliance is further configured to validate the generated signature against a historical dataset of signatures to determine whether the generated signature is associated with an anomalous amount of malicious activity compared to the historical dataset.  
19. A non-transitory computer readable medium containing computer-executable instructions for performing a method for detecting malicious activity on a network, the computer readable medium comprising: computer-executable instructions for gathering data regarding a first state of a computing environment; computer-executable instructions for executing at least one attack tool in the computing environment to simulate malicious activity; computer-executable instructions for gathering data regarding a second state of the computing environment after the at least one attack tool is executed; computer-executable instructions for detecting at least one trace of the malicious activity from the data regarding the second state of the computing environment by comparing the data regarding the second state of the environment to the data regarding the first state of the computing environment; and computer-executable instructions for autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.
19. A non-transitory computer readable medium containing computer-executable instructions for performing a method for detecting malicious activity on a network, the computer readable medium comprising: computer-executable instructions for gathering data regarding a first state of a computing environment; computer-executable instructions for executing at least one attack tool in the computing environment to simulate malicious activity; computer-executable instructions for gathering data regarding a second state of the computing environment after the at least one attack tool is executed; computer-executable instructions for detecting at least one trace of the malicious activity from the data regarding the second state of the computing environment; and computer-executable instructions for autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.  



Claim Rejections – 35 USC §103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

11.  Claims 1, 3-10 and 12-19 are rejected under 35 U.S.C. 103 as being unpatentable over Katmor et al. (US Pub. No. US 2016/0149967 A1, hereinafter “Katmor”) in view of Antonov et al. (US Pub. No. US 2017/0351859 A1).

Katmor provides a computer implemented method for detection and prevention of an attempt at establishment of a network connection for malicious communication, comprising: detecting a connection establishment process for establishing a network connection, the connection establishment process initiated by code running on a client terminal; analyzing records in at least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity; and blocking establishment of the network connection when the analysis detects the trial to establish the malicious communication based on the network connection

Antonov provides systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependency of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependency; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

As per claim 1, Katmor discloses a method for detecting malicious activity on a network (Abstract: para. 0034 discloses computer program product for detection of an attempt at establishment of a network connection for malicious activity for example), the method comprising: gathering data regarding a first state of a computing environment; executing at least one attack tool in the computing environment to simulate malicious activity (para. 0005 discloses Anti-ATA solutions are based on detection of the attack or detection of the infiltrated malicious code. In another example, other tools are designed to detect abnormal or malicious activity in action, (i.e. Software that is created specifically to help detect, prevent and remove malware (malicious software)); gathering data regarding a second state of the computing environment after the at least one attack tool is executed (para. 0003 discloses the network connection is initiated by the malicious code itself, for example, to send stolen data to a remote server, for example and furthermore para. 0109 discloses stack data collected from the multiple clients at the gateway and/or data from multiple gateways may be analyzed together to identify a pattern of malicious activity, for example); detecting at least one trace of the malicious activity from the data regarding the second state of the computing environment (para. 0034 discloses at least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity, for example).

 Katmor failed to explicitly discloses autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.  

Antonov discloses autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace (para. 0015 discloses as an antivirus tracking the behavior or structure of all applications installed on the users' computers may not detect new modifications or new varieties of malicious applications. While trying to conceal their presence on the computers of users, malicious programs continue to perform their malicious activity, which, even though concealed, is present on the computers and leaves traces. Based on the traces left behind, and by the uncharacteristic behavior of applications individually and the entire computer system as a whole, one may identify malicious applications, for example).

Katmor and Antonov are analogous art because they both are directed to systems and method for detecting a malicious computer system and one of ordinary skill in the art would have had a reasonable expectation of success to modify Katmor with the specified features of Antonov because they are from the same field of endeavor.
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Antonov with the teachings of Katmor in order to allow access to a remote computer such as a server or a data center by logging in [para. 0002 of Antonov]. 

Regarding claim 3, the combination of Katmor as modified by Antonov discloses wherein detecting the at least one trace (para. 0015 of Antonov discloses as an antivirus tracking the behavior or structure of all applications installed on the users' computers may not detect new modifications or new varieties of malicious applications. While trying to conceal their presence on the computers of users, malicious programs continue to perform their malicious activity, which, even though concealed, is present on the computers and leaves traces) comprises comparing the data regarding the second state of the computing environment to the data regarding the first state of the computing environment to detect at least one difference between the first state of the computing environment and the second state of the computing environment (para. 0110 of Antonov discloses the state of a legal computer system; and para. 0111 discloses the state of a malicious computer system; para 0112 discloses compare the determined state of the computer system with the selected patterns; and para. 0113 discloses send the result of the comparison to the analysis module 104, for example), the at least one difference being the at least one trace of the malicious activity (para. 0015 of Antonov discloses malicious programs continue to perform their malicious activity which, even though concealed, is present on the computers and leaves traces. Based on the traces left behind, and by the uncharacteristic behavior of applications individually and the entire computer system as a whole, one may identify malicious applications, for example).
The same motivational statement applies as set forth above in claim 1.
  
Regarding claim 4, the combination of Katmor as modified by Antonov discloses monitoring future network activity to detect activity matching the at least one generated signature (para. 0015 of Katmor discloses multiple stack traces obtained at multiple points during the connection establishment process, and said analyzing comprises matching the multiple stack traces to flow-data analysis representing the trial to establish the malicious communication, for example), wherein activity matching the at least one generated signature indicates malicious activity (para. 0034 of Katmor discloses a computer program product for detection of an attempt at establishment of a network connection for malicious activity, the computer program product comprising: one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising: program instructions for detecting a connection establishment process for establishing a network connection, for example).
 
Regarding claim 5, the combination of Katmor as modified by Antonov discloses issuing an alert using a user interface upon detecting activity matching the at least one generated signature (para. Katmor discloses Gateway 210 halts the connection establishment or allows the connection establishment to continue, by direct control and/or generation of an alert signal indicative of the status of the connection establishment, for example).

Regarding claim 6, the combination of Katmor as modified by Antonov discloses wherein the signature is defined by at least one signature parameter (para. 0011 code obfuscation to defeat signature analysis--converting the original text (such as JavaScript scripts) or executable code of programs to a form which retains their functionality, yet which impedes analysis, an understanding of the working algorithms, and modification during decompilation, for example), and the method further includes receiving a recommendation to adjust at least one signature parameter to adjust the number of generated alerts regarding detected malicious activity  (para. 0131 of Katmor discloses alerts indicating malicious communication attempts and/or messages indicating no malicious communication attempts, furthermore para 0133 of Katmor discloses Manage the generated signals: spot trends and take action, for example, identify spread of a malicious agent between clients, stop a newly detected malicious agent, quarantine a highly infected client, for example).
  
Regarding claim 7, the combination of Katmor as modified by Antonov discloses wherein the attack tool is defined by at least one attack parameter (para. 0005 of Katmor discloses Anti-ATA solutions are based on detection of the attack or detection of the infiltrated malicious code. In another example, other tools are designed to detect abnormal or malicious activity in action, (i.e. Software that is created specifically to help detect, prevent and remove malware (malicious software)), and the method further includes autonomously adjusting the at least one attack parameter to generate a variance in the at least one trace of malicious activity and in the at least one generated signature (para. 0006 of Antonov discloses signature analysis--searching for correspondences of a particular code section of a program being analyzed to a known code (signature) from a database of signatures of malicious programs, for example).
The same motivational statement applies as set forth above in claim 10.
 
Regarding claim 8, the combination of Katmor as modified by Antonov discloses wherein the at least one trace includes at least one of a modified registry key (para. 0065 of Antonov discloses records from the configuration files of the applications running in the computer system (such as entries in the registry or entries in ini files); and furthermore para. 0066 of Antonov relations between applications characterizing which applications exchange data and how, for example), a modified file system access permission, a modified write access permission, a modified process, a modified file, and a dropped file (para. 0094, 0099, of Katmor discloses least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity; and blocking establishment of the network connection when the analysis detects the trial to establish the malicious communication based on the network connection, for example).
  
Regarding claim 9, the combination of Katmor as modified by Antonov discloses validating the generated signature against a historical dataset of signatures to determine whether the generated signature is associated with an anomalous amount of malicious activity compared to the historical dataset (para. 0101of Katmor discloses Comparing and/or correlating modules within the stack against a pre-defined white list of validated modules, to identify unknown modules not located within the white list and para. 0032 of Katmor discloses at least one stack trace of the application when the network connection is active; and analyze records in the at least one stack trace to monitor for post connection establishment malicious activity using the active network connection, for example).
 
As per claim 10, Katmor discloses a system for detecting malicious activity on a network (Abstract: para. 0034 discloses computer program product for detection of an attempt at establishment of a network connection for malicious activity for example), the system comprising: at least one attack tool configured to simulate malicious activity (para. 0005 discloses Anti-ATA solutions are based on detection of the attack or detection of the infiltrated malicious code. In another example, other tools are designed to detect abnormal or malicious activity in action, (i.e. Software that is created specifically to help detect, prevent and remove malware (malicious software)); and a virtual security appliance configured to execute instructions stored on memory to: gather data regarding a first state of a computing environment before the attack tool simulates the malicious activity (para. 0003 discloses the network connection is initiated by the malicious code itself, for example, to send stolen data to a remote server, for example and furthermore para. 0109 discloses stack data collected from the multiple clients, gather data regarding a second state of the computing environment after the attack tool simulates the malicious activity (para. 0005 discloses Anti-ATA solutions are based on detection of the attack or detection of the infiltrated malicious code. In another example, other tools are designed to detect abnormal or malicious activity in action, for example); detect at least one trace of the malicious activity from the data regarding the second state of the computing environment (para. 0034 discloses at least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity, for example).

 Katmor failed to explicitly discloses autonomously generate at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.  

Antonov discloses autonomously generate at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace (para. 0015 discloses as an antivirus tracking the behavior or structure of all applications installed on the users' computers may not detect new modifications or new varieties of malicious applications. While trying to conceal their presence on the computers of users, malicious programs continue to perform their malicious activity, which, even though concealed, is present on the computers and leaves traces. Based on the traces left behind, and by the uncharacteristic behavior of applications individually and the entire computer system as a whole, one may identify malicious applications, for example).

Katmor and Antonov are analogous art because they both are directed to systems and method for detecting a malicious computer system and one of ordinary skill in the art would have had a reasonable expectation of success to modify Katmor with the specified features of Antonov because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Antonov with the teachings of Katmor in order to allow access to a remote computer such as a server or a data center by logging in [para. 0002 of Antonov]. 
 Regarding claim 12, the combination of Katmor as modified by Antonov discloses wherein the virtual security appliance detects the at least one trace (para. 0015 of Antonov discloses as an antivirus tracking the behavior or structure of all applications installed on the users' computers may not detect new modifications or new varieties of malicious applications. While trying to conceal their presence on the computers of users, malicious programs continue to perform their malicious activity, which, even though concealed, is present on the computers and leaves traces) by comparing the data regarding the second state of the computing environment to the data regarding the first state of the computing environment to detect at least one difference between the first state of the computing environment and the second state of the computing environment  (para. 0110 of Antonov discloses the state of a legal computer system; and para. 0111 discloses the state of a malicious computer system; para 0112 discloses compare the determined state of the computer system with the selected patterns; and para. 0113 discloses send the result of the comparison to the analysis module 104, for example), the at least one difference being the at least one trace of the malicious activity (para. 0015 of Antonov discloses malicious programs continue to perform their malicious activity which, even though concealed, is present on the computers and leaves traces. Based on the traces left behind, and by the uncharacteristic behavior of applications individually and the entire computer system as a whole, one may identify malicious applications, for example).
The same motivational statement applies as set forth above in claim 10.
  
Regarding claim 13, the combination of Katmor as modified by Antonov discloses wherein the virtual security appliance is further configured to monitor future network activity to detect activity matching the at least one generated signature, wherein activity matching the at least one generated signature indicates malicious activity (para. 0034 of Katmor discloses a computer program product for detection of an attempt at establishment of a network connection for malicious activity, the computer program product comprising: one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising: program instructions for detecting a connection establishment process for establishing a network connection, for example).
 
Regarding claim 14, the combination of Katmor as modified by Antonov discloses a user interface configured to issue an alert upon the virtual security appliance matching the at least one generated signature (fig. 2 and furthermore para. 0083 of Katmor discloses infected application and/or malicious code 208C may be part of a hypervisor or virtual machine monitor that creates and/or runs virtual machines, for example).   

Regarding claim 15, the combination of Katmor as modified by Antonov discloses wherein the signature is defined by at least one signature parameter (para. 0006 of Antonov discloses signature analysis--searching for correspondences of a particular code section of a program being analyzed to a known code (signature) from a database of signatures of malicious programs, for example), and the virtual security appliance is configured to receive a recommendation to adjust at least one signature parameter to adjust the number of generated alerts regarding detected malicious activity (para. 0133 of Katmor discloses Manage the generated signals: spot trends and take action, for example, identify spread of a malicious agent between clients, stop a newly detected malicious agent, quarantine a highly infected client, for example).
The same motivational statement applies as set forth above in claim 10.

Regarding claim 16, the combination of Katmor as modified by Antonov discloses wherein the attack tool is defined by at least one attack parameter, and the virtual security appliance is further configured to autonomously adjust the at least one attack parameter to generate a variance in the at least one trace of malicious activity and in the at least one generated signature (see fig. 2 of Jalio furthermore para. 0026 of Jalio discloses security device 220 may be implemented as an individual security device 220, a virtual context security device 220, or a security device 220 cluster, for example).
The same motivational statement applies as set forth above in claim 10.

Regarding claim 17, the combination of Katmor as modified by Antonov discloses wherein the at least one trace includes at least one of a modified registry key (para. 0065 of Antonov discloses records from the configuration files of the applications running in the computer system (such as entries in the registry or entries in ini files); and furthermore para. 0066 of Antonov relations between applications characterizing which applications exchange data and how, for example), a modified file system access permission, a modified write access permission, a modified process, a modified file, and a dropped file (para. 0094, 0099, of Katmor discloses least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity; and blocking establishment of the network connection when the analysis detects the trial to establish the malicious communication based on the network connection, for example).
The same motivational statement applies as set forth above in claim 10.
 
Regarding claim 18, the combination of Katmor as modified by Antonov discloses wherein the virtual security appliance is further configured to validate the generated signature against a historical dataset of signatures to determine whether the generated signature is associated with an anomalous amount of malicious activity compared to the historical dataset (para. 0101of Katmor discloses Comparing and/or correlating modules within the stack against a pre-defined white list of validated modules, to identify unknown modules not located within the white list and para. 0032 of Katmor discloses at least one stack trace of the application when the network connection is active; and analyze records in the at least one stack trace to monitor for post connection establishment malicious activity using the active network connection, for example). 

As per claim 19, Katmor a non-transitory computer readable medium containing computer-executable instructions for performing a method for detecting malicious activity on a network (Abstract: para. 0034 discloses computer program product for detection of an attempt at establishment of a network connection for malicious activity for example), the computer readable medium comprising: computer-executable instructions for gathering data regarding a first state of a computing environment; computer-executable instructions for executing at least one attack tool in the computing environment to simulate malicious activity (para. 0034 discloses a computer program product for detection of an attempt at establishment of a network connection for malicious activity, the computer program product comprising: one or more non-transitory computer-readable storage mediums, and program instructions stored on at least one of the one or more storage mediums, the program instructions comprising: program instructions for detecting a connection establishment process for establishing a network connection, for example); computer-executable instructions for gathering data regarding a second state of the computing environment after the at least one attack tool is executed (para. 0005 discloses of Anti-ATA solutions are based on detection of the attack or detection of the infiltrated malicious code. In another example, other tools are designed to detect abnormal or malicious activity in action, for example); computer-executable instructions for detecting at least one trace of the malicious activity from the data regarding the second state of the computing environment (para. 0034 discloses at least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity, for example). 

Katmor failed to explicitly discloses computer-executable instructions for autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace.  

Antonov discloses computer-executable instructions for autonomously generating at least one signature for detecting future malicious activity, wherein the at least one generated signature is based on the at least one detected trace (para. 0015 discloses as an antivirus tracking the behavior or structure of all applications installed on the users' computers may not detect new modifications or new varieties of malicious applications. While trying to conceal their presence on the computers of users, malicious programs continue to perform their malicious activity, which, even though concealed, is present on the computers and leaves traces. Based on the traces left behind, and by the uncharacteristic behavior of applications individually and the entire computer system as a whole, one may identify malicious applications, for example).

Katmor and Antonov are analogous art because they both are directed to systems and method for detecting a malicious computer system and one of ordinary skill in the art would have had a reasonable expectation of success to modify Katmor with the specified features of Antonov because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Antonov with the teachings of Katmor in order to allow access to a remote computer such as a server or a data center by logging in [para. 0002 of Antonov]. 

12.  Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Katmor et al. (US Pub. No. US 2016/0149967 A1, hereinafter “Katmor”) in view of Antonov et al. (US Pub. No. US 2017/0351859 A1), further in view of Jalio et al. (US Pub. No. US 2019/0327263 A1).

Jalio provide method, system, and computer-usable medium are disclosed for, responsive to receipt of traffic from a server to a client, parsing content of the traffic, and injecting additional content into original content of the server response to override an action of the original content, such that when the client executes the content of the traffic the client determines whether the content includes additional content that overrides the action of the original content, and in response to determining that the content includes additional content that overrides the action of the original content, communicates parameters associated with execution of the action to an inspection service to determine if the action is malicious.

Regarding claims 2 and 11, the combination of Katmor as modified by Antonov discloses all the claimed limitations except for wherein the computing environment is a sandbox environment.

However, wherein the computing environment is a sandbox environment (para. 0005 discloses types of malicious attacks have been for security devices to actually execute the content in a "sandbox" environment and detecting the malicious activity performed within the sandbox, for example). 

Katmor as modified by Antonov and Jalio are analogous art because they both are directed to a method, system, and computer-usable medium for performing distributed protection for a client information handling system with respect to network traffic and one of ordinary skill in the art would have had a reasonable expectation of success to modify Katmor as modified by Antonov with the specified features of Jalio because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Jalio with the teachings of Katmor as modified by Antonov in order for performing distributed protection for a client information handling system with respect to network traffic [para. 0001 of Jalio]. 

Pertinent Art
13.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Katmor et al. (Pub. No. : US 2016/0149937 A1) provide a computer implemented method for detection and prevention of an attempt at establishment of a network connection for malicious communication, comprising: detecting a connection establishment process for establishing a network connection, the connection establishment process initiated by code running on a client terminal; analyzing records in at least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity; and blocking establishment of the network connection when the analysis detects the trial to establish the malicious communication based on the network connection.

14.	 Kim et al. (Pub. No.: US 2016/0359875 A1) provides a system for detecting and preventing malicious scripts including an apparatus for detecting and preventing malicious scripts, analyzing a first script, which is included in a web page, using a first signature or a second signature to determine whether a malicious script exists in the first script, and processing the first script according to analysis result data obtained by the analysis, and a signature management apparatus generating and managing the first signature or the second signature and providing the first signature or the second signature to the apparatus for detecting and preventing malicious scripts upon request, wherein the first signature includes code pattern information of previously -detected malicious scripts, the second signature includes a call trace, which has API flow information of the previously -detected malicious scripts, and the apparatus for detecting and preventing malicious scripts primarily performs static analysis on the first script using the first signature and secondarily performs dynamic analysis on the first script using the second signature.

15.	Change (Pub. No.: US 2019/0294788 A1) provide Malicious processes may be tracked by obtaining process history information of a computing device and obtaining an identification of a malicious software on the computing device. An associated process of the malicious software and actions of the associated process may be identified based on the process history information. Related processes of the associated process and actions of the related processes may be iteratively identified based on the process history information. Tracking information for the malicious software may be generated based on the associated process, the actions of the associated process, the related processes, and the actions of the related processes.

16.	Gupta et al. (Pub. No.: US 2016/0212159 A1) provide computer applications, including but not limited to single and multitier, closed and distributed, standalone, web-based, and cloud-based, are vulnerable to malware attacks. The largest number of malware attacks of computer applications today result from the ability of a malicious actor to inject and later execute malicious content in a running process of a computer application. The process of injecting such malicious content involves identifying and exploiting poorly designed code that performs inadequate input validation. The current cyber security technologies attempt to either observe malicious content in the application or trace the behavior of an application or screen the behavior of suspicious code in a sandbox. These technologies do not have the capability to examine computer applications in real time at a low enough granularity to reliably detect events that indicate the injection of malicious content. In addition, these technologies do not have the capability to track and correlate such events over time in order to accurately identify these malware attacks before the malware successfully carries out its malicious intent.

Conclusion
17.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932.  The examiner can normally be reached on Mon.-Fri. 9:00 AM - 5:30 PM.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






A.G.
October 7, 2022
/ABIY GETACHEW/Primary Examiner, Art Unit 2434