DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/13/2021, 07/16/2021, 08/24/2021, 11/30/2021, 04/14/2022, 08/15/2022, 10/31/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20  are rejected under 35 U.S.C. 103 as being unpatentable over Vaughan (US 2015/0007314), hereon referred to as Vaughan in view of Taylor et al. (US 2017/0195353), hereon referred to as Taylor.

In regards to claims 1, 8 and 15, Vaughan discloses determining one or more requests as suspicious that are provided to a server in a monitored network based on one or more characteristics of the one or more provided requests (Packets received for delivery to devices on a network are monitored. The packets may be received by network protection device from outside the network and/or from inside the network for delivery to a device within the network, e.g., a services/mobiles network; Packet analyzer may develop the post attack packet profile as described above for the instant packet profile at block; The time period following the identification of the attack may be the same duration as the time periods used to generate the current and historic packet profiles, e.g., 10 minutes. Thus, the post attack packet profile in this example includes a 10-minute time period at some time after the identification of the attack. The packets may be continuously sampled in overlapping or non-overlapping time periods after the start of an attack to obtain data for use in identification of the end of an attack Paragraphs 0042, 0071); employing one or more characteristics of one or more dependent actions performed by the server to evaluate the one or more dependent actions for association with anomalous activity (Upon the identification of a network attack at the site of a network protection device, for example, malicious traffic may be identified manually and/or automatically by packet processor 318. Operational staff may be notified to investigate the attack and take corrective action such as blocking the malicious traffic as described below with reference to block; An operator may examine the network traffic for the site in a time window (e.g., 30 to 60 minutes) associated with the attack, focusing on the anomalous packet type (e.g., if there is a relatively large increase in UDP traffic, the UDP packets are examined). The time window being analyzed may then be adjusted to detect the approximate start time of the incident (e.g., within a few minutes or less). Additionally, the IP addresses that are top sources and/or destinations for the anomalous packet type are examined; Paragraph 0064); and determining malformed information that is included in the one or more dependent actions based on an association with other malformed information that is included in the one or more suspicious requests (A performance score that is associated with the investigation profile based on the occurrence of the one or more investigation activities and a completion status of the investigation, wherein the performance score is decreased when one or more other investigation activities are included in the investigation or when one or more of the one or more investigation activities are omitted from the investigation of the anomaly; Paragraph 0071).  
However, Vaughn does not disclose wherein the anomalous activity comprises, an injection attack based on malformed information included in the one or more suspicious requests that is associated with one or more of one or more malformed shell instructions, malformed command instructions, or malformed inter- process communication associated with the one or more dependent actions, and wherein the determining of the anomalous activity. In an analogous art Crank discloses wherein the anomalous activity comprises, an injection attack based on malformed information included in the one or more suspicious requests that is associated with one or more of one or more malformed shell instructions, malformed command instructions, or malformed inter- process communication associated with the one or more dependent actions, and wherein the determining of the anomalous activity (MTDM may implement a honeyclient (e.g., an emulated client) that utilizes various mechanisms and/or techniques for detecting malicious behaviors in a safe and/or controlled environment. In this example, the honeyclient can use techniques to detect a malicious behavior (e.g., a code injection attack, a heap spray attack, etc.) associated with executing or using a URL and/or a related payload or file; As packets cross the network border, we reassemble them first at the TCP-level into matching {request, response} data streams. Duplicate or malformed TCP packets are discarded as specified by the TCP protocol. Then we reassemble these data streams at the HTTP-level, making each request header and associated response content transparent to our framework. As with TCP packets, malformed HTTP content is discarded in accordance with the protocol specification, and content for other application-layer services is filtered and ignored; Paragraphs 0027; 0040-0046; 0130).
 
At the time of the invention, it would have been obvious to a person of ordinary skill in the art to combine the teachings disclosed by Vaughn with the teachings disclosed by Taylor, regarding wherein the anomalous activity comprises, an injection attack based on malformed information included in the one or more suspicious requests that is associated with one or more of one or more malformed shell instructions, malformed command instructions, or malformed inter- process communication associated with the one or more dependent actions, and wherein the determining of the anomalous activity. The suggestion/motivation of the combination would have been to provide improved security in the authentication of data before transmission (Crank; Paragraphs 0001-0005). 
	In regards to claims 2, 9 & 16, Vaughn discloses employing one or more characteristics of the one or more suspicious requests to provide one or more correlations associated with the one or more suspicious requests; and providing the evaluation of the one or more dependent actions for anomalous activity based on the one or more correlations associated with the one or more suspicious requests; and providing one or more reports that include information associated with the anomalous activity by the server and the one or more other servers in the monitored network (A historic packet profile is developed. The historic packet profile may be developed by examining the monitored packets received during a plurality of time periods preceding a time period of interest (the "instant" time period); An instant packet profile is developed. The instant packet profile may be developed by examining the monitored packets received during a time period of interest (e.g., the current time period). Packet analyzer may develop the current packet profile based on information received from packet extractor; Paragraphs 0057; 0060.). 
	In regards to claims 3, 10 & 17, Vaughn discloses  wherein the one or more dependent actions further comprise: one or more of dependent requests that are sent to one or more other servers in the monitored network and one or more other dependent actions performed by the one or more other servers in response to the one or more dependent requests (Upon the identification of a network attack at the site of a network protection device, for example, malicious traffic may be identified manually and/or automatically by packet processor 318. Operational staff may be notified to investigate the attack and take corrective action such as blocking the malicious traffic as described below with reference to block; An operator may examine the network traffic for the site in a time window (e.g., 30 to 60 minutes) associated with the attack, focusing on the anomalous packet type (e.g., if there is a relatively large increase in UDP traffic, the UDP packets are examined). The time window being analyzed may then be adjusted to detect the approximate start time of the incident (e.g., within a few minutes or less). Additionally, the IP addresses that are top sources and/or destinations for the anomalous packet type are examined; Paragraph 0064).
	In regards to claims 4, 11 & 18, Taylor discloses determining the anomalous activity based on one or more of the malformed information or the other malformed information (MTDM may implement a honeyclient (e.g., an emulated client) that utilizes various mechanisms and/or techniques for detecting malicious behaviors in a safe and/or controlled environment. In this example, the honeyclient can use techniques to detect a malicious behavior (e.g., a code injection attack, a heap spray attack, etc.) associated with executing or using a URL and/or a related payload or file; As packets cross the network border, we reassemble them first at the TCP-level into matching {request, response} data streams. Duplicate or malformed TCP packets are discarded as specified by the TCP protocol. Then we reassemble these data streams at the HTTP-level, making each request header and associated response content transparent to our framework. As with TCP packets, malformed HTTP content is discarded in accordance with the protocol specification, and content for other application-layer services is filtered and ignored; Paragraphs 0027; 0040-0046; 0130).

In regards to claims 5, 12 & 19, the combination of Vaughn and Taylor discloses providing configuration information for one or more of an application protocol or a communication protocol that is associated with the monitored network, wherein the configuration information includes one or more of a file, a database, user input, or a default value for the application protocol or the communication protocol; and validating that the one or more requests are provided by the server based on an evaluation of the configuration information by one or more of templates, masks, pattern matching, machine learning classifiers or models, regular expressions, rules, computer readable instructions, parsers, or grammars (The elements presented in the claim(s) do not contain any additional features, do not present any inventive step or novelty not addressed/presented in the combination of Vaughn and Taylor. Examiner takes official notice, that these elements are common known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art. The additional features of these claims represent normal design options, which the skilled person would implement the combination of Vaughn and Taylor, depending on the circumstances, without exercising any inventive activity).
In regards to claims 6 and 13, the combination of Vaughn and Taylor disclose wherein the one or more characteristics of the one or more suspicious requests, includes: one or more of contents of the one or more suspicious requests, a sender of the one or more suspicious requests, a target of the one or more suspicious requests, tuple information, time of day, network utilization, or a rate of requests sent or received (The elements presented in the claim(s) do not contain any additional features, do not present any inventive step or novelty not addressed/presented in the combination of Vaughn and Taylor. Examiner takes official notice, that these elements are common known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art. The additional features of these claims represent normal design options, which the skilled person would implement the combination of Vaughn and Taylor, depending on the circumstances, without exercising any inventive activity).
In regards to claims 7 and 14, Taylor discloses wherein the anomalous activity further comprises: an injection attack based on malformed information included in the one or more suspicious requests that is associated with malformed structured query language (SQL) instructions that are included in the one or more dependent actions (MTDM may implement a honeyclient (e.g., an emulated client) that utilizes various mechanisms and/or techniques for detecting malicious behaviors in a safe and/or controlled environment. In this example, the honeyclient can use techniques to detect a malicious behavior (e.g., a code injection attack, a heap spray attack, etc.) associated with executing or using a URL and/or a related payload or file; As packets cross the network border, we reassemble them first at the TCP-level into matching {request, response} data streams. Duplicate or malformed TCP packets are discarded as specified by the TCP protocol. Then we reassemble these data streams at the HTTP-level, making each request header and associated response content transparent to our framework. As with TCP packets, malformed HTTP content is discarded in accordance with the protocol specification, and content for other application-layer services is filtered and ignored; Paragraphs 0027; 0040-0046; 0130).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF E ULLAH whose telephone number is (571)272-5453. The examiner can normally be reached Mon-Fri 7:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHARIF E ULLAH/Primary Examiner, Art Unit 2495