Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments

Applicant's arguments filed 8/22/22 have been fully considered but they are not persuasive.  Applicant argues that Ben-Itzhak US 2003/0204719 fails to teach the claims as amended because it does not refrain from sending requests to an application layer security device.   Examiner argues that Stolfo teaches that a message may be checked before being sent to a binary code [0052].  Ben-Itzhak additionally teaches how/what the message can be checked.  Ben-Itzhak checks for validity and malformed messages, in the same spirit as the current invention.  Examiner argues that where the message is sent following this check is immaterial to the combination at issue.  Stolfo teaches the classification training system, input data, and computing a maliciousness score.  It would have been obvious to one of ordinary skill in the art to ensure that the training data was properly formed before being input.  Ben-Itzhak ensures that a message is valid before forwarding, and if it is not valid, the message is not sent.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-3, 9-12, 15, 16,  18, 19, 22-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo US 2009/0193293 in view of Ben-Itzhak US 2003/0204719

As per claim 1. Stolfo teaches A secure network system comprising: at least one secured network connected device, comprising at least one hardware processor connected to at least one digital communication network interface, [0033] (Figure 1) and adapted for: in at least one iteration of a plurality of iterations: Stolfo teaches executing a binary code for computing a maliciousness score in response to an input message, where the binary code is received from a remote server via a network and encapsulates a classification model trained, [0048] [0049] (receive binary remotely to execute and detect maliciousness score) 

Stolfo teaches using a plurality of historical messages collected by the remote server from a plurality of secured network connected devices, to compute the maliciousness score in response to the input message;  [0047][0048][0062][0067][0076][0090] (teaches generating model based on a plurality of sources including third parties, connected remote sites and local feedback to classifier)  Stolfo teaches receiving a message via the at least one digital communication network interface; computing a message maliciousness score by providing the message to the binary code; [0035][0048][0049] (calculates a score for input based on received model)
Stolfo teaches and providing the message to at least one software object executed by the at least one hardware processor to perform a message oriented task, subject to the message maliciousness score. [0088], [0091]  (forward for further processing, or drop based on score)

Stolfo teaches that messages may be checked for signature based anomaly and refraining from providing the message to the binary code [0052] (validates training set to ensure no malicious anomalies are contained therein)
Ben-Itzhak teaches in response to determining a presence of a signature based anomaly retraining from providing the message to the binary code; amn in absence of the signature based anomaly providing the message to the binary code. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)
It would have been obvious to one of ordinary skill in the art to use the system of Ben-Itzhack with Stolfo because it ensures that messages are properly formatted before any other checks are needed.As per claim 2. Stolfo teaches The system of claim 1, wherein the binary code encapsulates a plurality of hardware components and a plurality of software components of the classification model. [0047]As per claim 3.  Stolfo teaches The system of claim 1, wherein the at least one digital communication network interface is connected to a wireless digital communication network.  [0034]

As per claim 9. Stolfo teaches The system of claim 1, wherein the at least one hardware processor is further adapted for: in the at least one iteration: receiving another message via the at least one digital communication network interface; computing another message maliciousness score by providing the other message to the binary code; and providing the other message to the at least one software object to perform the message oriented task, subject to the other message maliciousness score. [0035][0048][0049] [0088], [0091]  (forward for further processing, or drop based on score)As per claim 10. Stolfo teaches The system of claim 1, wherein the at least one hardware processor is further adapted for: in at least one other iteration of the plurality of iterations: receiving from the remote server, via the network, another binary code for computing a maliciousness score in response to an input message; where the other binary code encapsulates the classification model further trained, using another plurality of historical messages collected by the remote server from the plurality of secured network connected devices, to compute the maliciousness score in response to the input message; and replacing the binary code with the other binary code. [0067][0075][0090]  (updating the classification model and repeating)
As per claim 11. Stolfo teaches The system of claim 1, wherein the at least one hardware processor is connected to the network via at least one other digital communication network interface. [0035]As per claim 12. Stolfo teaches The system of claim 1, wherein the at least one hardware processor is further adapted for: sending the message to the remote server for training the classification model. [0090]

As per claim 15. Ben-Itzhak teaches The system of claim 1, wherein the at least one hardware processor is further adapted for: classifying the message as malformed, subject to a result of applying at least one message-format test to the message; sending a validation request, comprising at least part of the message, to the remote server for classification; receiving from the remote server a validation value; and refraining from providing the message to the other software object subject to the validation value. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)
It would have been obvious to one of ordinary skill in the art to use the system of Ben-Itzhack with Stolfo because it ensures that messages are properly formatted before any other checks are needed.As per claim 16. Ben-Itzhak teaches The system of claim 1, wherein the at least one hardware processor is further adapted for: classifying the message as verified, subject to a result of applying at least one syntax test to the message; and providing the message to the at least one software object instead of computing the message maliciousness score and providing the message to the at least one software object subject to the message maliciousness score. (teaches a validation of the message syntax format and refraining from forwarding subject to validation value) [0159] 

As per claim 18. Stolfo teaches A method for a secured network connected device, comprising: in at least one iteration of a plurality of iterations: executing a binary code for computing a maliciousness score in response to an input message, where the binary code is received from a remote server via a network and encapsulates a classification model trained, using a plurality of historical messages collected by the remote server from a plurality of secured network connected devices, to compute the maliciousness score in response to the input message; receiving a message via the at least one digital communication network interface; computing a message maliciousness score by providing the message to the binary code; and providing the message to at least one software object executed by at least one hardware processor of the secured network connected device to perform a message oriented task, subject to the message maliciousness score. ; [0035] [0047] [0049][0048][0062][0067][0076][0090] [0088], [0091] (see claim 1)
Stolfo teaches that messages may be checked for signature based anomaly and refraining from providing the message to the binary code [0052] (validates training set to ensure no malicious anomalies are contained therein)

Ben-Itzhak teaches in response to determining a presence of a signature based anomaly retraining from providing the message to the binary code; amn in absence of the signature based anomaly providing the message to the binary code. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)
As per claim 19. Stolfo teaches A secure network system comprising: at least one server, comprising at least one hardware processor adapted for: in each of a plurality of server iterations: receiving from a plurality of secured network devices a plurality of messages; training a classification model to compute a maliciousness score in response to an input message; producing a binary code encapsulating the classification model; and sending the binary code, via a network, to at least one secured network connected device. ; [0035] [0047] [0049][0048][0062][0067][0076][0090] [0088], [0091] (see claim 1)
Stolfo teaches that messages may be checked for signature based anomaly and refraining from providing the message to the binary code [0052] (validates training set to ensure no malicious anomalies are contained therein)

Ben-Itzhak teaches receiving a validation request from the secured network device, where the validation request includes at least part of a  message and communicating a validation value based on the request, where the validation value causes the device to refrain from sending the message to the binary code. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)
It would have been obvious to one of ordinary skill in the art to use the system of Ben-Itzhack with Stolfo because it ensures that messages are properly formatted before any other checks are needed.
As per claim 22.  Stolfo teaches A method for a server of a secure network, comprising: in each of a plurality of server iterations: receiving from a plurality of secured network devices a plurality of messages; training a classification model to compute a maliciousness score in response to an input message; producing a binary code encapsulating the classification model; and sending the binary code, via a network, to at least one secured network connected device. [0035] [0047] [0049][0048][0062][0067][0076][0090] [0088], [0091] (see claim 1)
Stolfo teaches that messages may be checked for signature based anomaly and refraining from providing the message to the binary code [0052] (validates training set to ensure no malicious anomalies are contained therein)

Ben-Itzhak teaches receiving a validation request from the secured network device, where the validation request includes at least part of a  message and communicating a validation value based on the request, where the validation value causes the device to refrain from sending the message to the binary code. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)
It would have been obvious to one of ordinary skill in the art to use the system of Ben-Itzhack with Stolfo because it ensures that messages are properly formatted before any other checks are needed.As per claim 23. Stolfo teaches A method for a secure network system, comprising: on at least one remote server: in each of a plurality of server iterations: receiving from a plurality of secured network devices a plurality of messages; training a classification model to compute a maliciousness score in response to an input message; producing a binary code encapsulating the classification model; and sending the binary code, via a network, to at least one secured network connected device; and on the at least one secured network connected device: in at least one iteration of a plurality of iterations: receiving the binary code from the at least one remote server; executing the binary code; receiving a message via at least one digital communication network interface; computing a message maliciousness score by providing the message to the binary code; and providing the message to at least one software object executed by the at least one hardware processor to perform a message oriented task, subject to the message maliciousness score. [0035] [0047] [0049][0048][0062][0067][0076][0090] [0088], [0091] (see claim 1)

Ben-Itzhak teaches in response to determining a presence of a signature based anomaly retraining from providing the message to the binary code; amn in absence of the signature based anomaly providing the message to the binary code. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)
As per claim 24. Stolfo teaches A secure network system comprising: at least one remote server, comprising at least one server hardware processor adapted for: in each of a plurality of server iterations: receiving from a plurality of secured network devices a plurality of messages; training a classification model to compute a maliciousness score in response to an input message; producing a binary code encapsulating the classification model; and sending the binary code, via a network, to at least one secured network connected device; and at least one secured network connected device, comprising at least one hardware processor connected to at least one digital communication network interface, and adapted for: in at least one iteration of a plurality of iterations: receiving the binary code from the at least one remote server; executing the binary code; receiving a message via at least one digital communication network interface; computing a message maliciousness score by providing the message to the binary code; and providing the message to at least one software object executed by the at least one hardware processor to perform a message oriented task, subject to the message maliciousness score. [0035] [0047] [0049][0048][0062][0067][0076][0090] [0088], [0091] (see claim 1)

Ben-Itzhak teaches in response to determining a presence of a signature based anomaly retraining from providing the message to the binary code; amn in absence of the signature based anomaly providing the message to the binary code. [0159] (teaches a validation of the message syntax format and refraining from forwarding subject to validation value)

Claims 4-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo US 2009/0193293 in view of Ben-Itzhak US 2003/0204719 in view of Antonopoulos US 2016/0323435
As per claim 4.  Antonopoulos teaches The system of claim 3, wherein the wireless digital communication network is selected from a group consisting of: a network based on Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 technical standard, and a cellular network. [0078]  (teaches a plethora of communications networks and standards)
 It would have been obvious to one of ordinary skill in the art to use the network compatibility of Antonopoulos with Stolfo because it expands communications and compatibility [0028]As per claim 5. Antonopoulos teaches The system of claim 4, wherein the network based on IEEE 802.15.4 technical standard is a Zigbee Alliance Zigbee network. [0078]As per claim 6. Antonopoulos teaches The system of claim 4, where in the cellular network is a Global System for Mobile communications (GSM) network. [0078]



Claims 7, 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo US 2009/0193293 in view of Ben-Itzhak US 2003/0204719 in view of Zhang US 2020/0045063
As per claim 7.  Zhang teaches The system of claim 1, wherein the classification model is a neural network. [0006][0034][0036] (teaches malware classifer is a neural network)
It would have been obvious to one of ordinary skill in the art to use the neural network of Zhang with the previous art because it provides better feedback and more accurate malware detection.As per claim 8. Zhang teaches The system of claim 7, wherein the neural network comprises a plurality of computation units and a plurality of node connections, each node connection having a source node of the plurality of computation units, a target node of the plurality of computation units, and a plurality of connection values; wherein the binary code encapsulates a plurality of compressed computation units, each a compressed representation of one of the plurality of computation units, and a plurality of compressed node connections, each a compressed representation of one of the plurality of node connections; and wherein executing the binary code comprises: expanding at least some of the compressed computation units to produce a plurality of expanded computation units; and in at least one of a plurality of classification iterations: executing at least one of the expanded computation units; expanding at least one of the plurality of compressed node connections having a source node equal to the at least one of the expanded computation units to produce an expanded node connection; and executing the target node of the expanded node connection according to an output of the source node and the plurality of connection values of the expanded node connection. [0006][0034][0036][0067]-[0072]   (teaches plurality of nodes/computation units with feedback and executing binary on target node to feedback to source node)

Claims 13, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo US 2009/0193293 in view of Ben-Itzhak US 2003/0204719 in view of Zuk US 2007/0297333

As per claim 13. Stolfo teaches The system of claim 1, wherein the at least one hardware processor is further adapter for: identifying at least one signature-based anomaly by computing a match between the message and at least one identified signature value; and refraining from providing the message to the binary code subject to identifying the at least one signature based anomaly. [0062] [0067]  (teaches using anomaly signatures)
Zuk explicitly teaches matching signatures [0032][0040].
It would have been obvious at the time the invention was filed to use the string matching methods of Zuk with Stolfo because they enhance and expand the malware detection of the system.As per claim 14. Zuk teaches The system of claim 13, wherein the at least one identified signature value is a regular expression string value. [0032]
Claims  17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo US 2009/0193293 in view of Antonopoulos US 2016/0323435 in view of Ben-Itzhak US 2003/0204719

As per claim 17. Antonopoulos teaches GSM network.  
Ben-Itzhak teaches The system of claim 16, wherein the at least one digital communication interface is connected to a GSM network; and wherein applying the at least one syntax test comprises at least one of: comparing a command value extracted from the message to an identified command value; comparing a flag value extracted from the message to an identified flag value; comparing an amount of bytes of the message to an identified amount of bytes, comparing an encryption method value identified in the message to an identified encryption method value, and comparing a routing attribute value extracted from the message to an identified routing attribute value. (teaches a validation of the message syntax format and refraining from forwarding subject to validation value) [0159] 
It would have been obvious to one of ordinary skill in the art to use the system of Ben-Itzhack with Stolfo because it ensures that messages are properly formatted before any other checks are needed.
Claims  20, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo US 2009/0193293 in view of Ben-Itzhak US 2003/0204719 in view of Jakobsson US 11,102,244

As per claim 20. Jakobsson teaches The system of claim 19, wherein the at least one hardware processor is further adapted for: computing a plurality of digital signatures, each computed using one of the plurality of messages; associating a maliciousness score to each of the plurality of messages; and storing the plurality of messages as a plurality of historical messages in at least one non-volatile digital storage connected to the at least one hardware processor, each of the plurality of messages stored with respective maliciousness score and respective digital signature. (Column 68 lines 26-35) (Column 70 lines 30-35; 50-55) 
    It would have been obvious to one of ordinary skill at the time the invention was filed to use the history of Jakobsson with Stolfo because it increases the accuracy of the system.As per claim 21. Jakobsson teaches The system of claim 20, wherein the at least one hardware processor is further adapted for: in at least one of a plurality of validation iterations: receiving from the at least one secured network connected device a validation request, comprising at least part of a message; computing a digital signature using the at least part of the message; computing a validation value by comparing the digital signature to a plurality of digital signatures of the plurality of historical messages; and sending the validation value to the at least one secured network connected device. (Column 72 lines 58-65; Column 75 lines 10-20)
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439