DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to Amendment filed on 09/28/2022.
Claims 1-3 and 11-13 have been amended, and no claim has been canceled or added.  Currently, claims 1-20 are pending.

Response to Amendment

Amendment to Specification is effective to overcome the objection to the Specification presented in the previous Office action.  Therefore, the previous objection to the Specification has been withdrawn.

Amendments to claims 3 and 13 are effective to overcome the claim objection of claims 3 and 13 presented in the previous Office action.  Therefore, the previous claim objection of claims 3 and 13 has been withdrawn.

Response to Arguments

Applicant’s arguments, see Remarks, pages 8-0, filed 09/28/2022, with respect to the rejection of claims 1-20 under 35 U.S.C. §103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Kumar et al. (U.S. Publication No. 2013/0247183).

Claim Objections

Claims 2 and 12 are objected to because of the following informalities:

Regarding claim 2, the term “the possible malicious activity” in lines 1-2 should be “the possible instance of malicious activity”.

Regarding claim 12, the term “the possible malicious activity” in line 2 should be “the possible instance of malicious activity”.

 Appropriate correction is required.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-8 and 11-18 (effective filing date 10/23/2017) are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kumar et al. (U.S. Publication No. 2013/0247183, Publication date 09/19/2013).


As to claim 1, Kumar et al. teaches:
“A method” (see Kumar et al., Abstract and Fig. 3) comprising:
“receiving, at data processing hardware, an indication of a possible instance of malicious activity for an element of structured data, the indication indicating that an activity of the element of structured data deviates from an assessment standard comprising attributes corresponding to the structured data” (see Kumar et al., [0017]-[0018] and [0046] for detecting an attempt to modify a domain name system (DNS) setting in a registry including a plurality of DNS settings, wherein each DNS setting in a registry can be interpreted as an element of structured data as recited, wherein an attempt to modify the DNS setting (e.g., an attempted write operation or an attempted create operation) can be interpreted as an activity of the element of the structured data  or a possible instance of malicious activity as recited, and wherein the current values/attributes of the DNS settings of the registry represent an assessment standard comprising attributes corresponding to structured data as recited);
“identifying, by the data processing hardware, a plurality of other instances of activity for the element of the structured data that deviated from the assessment standard, the plurality of other instances of activity stored in a registry in communication with the data processing hardware” (see Kumar et al., [0022] and [0048] for comparing the attribute of the modification (e.g., IP address) against a IP address database wherein each IP address represents another instance of activity for the element of the structured data as recited);
“determining, by the data processing hardware, whether the possible instance of malicious activity for the element of structured data matches other instances of activity for the element of the structured data that deviated from assessment standard” (see Kumar et al., Fig. 3 and [0053]-[0054] for determining/verifying an attempt to modify a domain name service setting by verifying an attribute of modification (e.g., new IP address) against other IP addresses in one or more data structures in the IP address databases (e.g., a whitelist, a blacklist, etc.)); and
“when the possible instance of malicious activity for the element of structured data fails to match other instances of activity for the element of structured data, communicating, by the data processing hardware, the possible instance of malicious activity for the element of structured data as a security finding to an entity overseeing the structured data” (see Kumar et al., [0054] and [0058] when the new IP address (representing the activity of modification of the DNS setting) fails to match the IP addresses in the whitelist and matches an IP address in the backlist, the new IP address is identified as bad and is notified to a user associated with the client; also see [0025]-[0026]).

As to claim 11, Kumar et al. teaches:
“A system” (see Kumar et al., Abstract, Fig. 3 and Fig. 5) comprising:
“data processing hardware” (see Kumar et al., Fig. 1 for CPU 210); and
“memory hardware in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations comprising” (see Kumar et al., Fig. 2 for ROM 216 and RAM 214):
“receiving an indication of a possible instance of malicious activity for an element of structured data, the indication indicating that an activity of the element of structured data deviates from an assessment standard comprising attributes corresponding to the structured data” (see Kumar et al., [0017]-[0018] and [0046] for detecting an attempt to modify a domain name system (DNS) setting in a registry including a plurality of DNS settings, wherein each DNS setting in a registry can be interpreted as an element of structured data as recited, wherein an attempt to modify the DNS setting (e.g., an attempted write operation or an attempted create operation) can be interpreted as an activity of the element of the structured data or a possible instance of malicious activity as recited, and wherein the current values/attributes of the DNS settings of the registry represent an assessment standard comprising attributes corresponding to structured data as recited);
“identifying a plurality of other instances of activity for the element of the structured data that deviated from the assessment standard, the plurality of other instances of activity stored in a registry in communication with the data processing hardware” (see Kumar et al., [0022] and [0048] for comparing the attribute of the modification (e.g., IP address) against a IP address database wherein each IP address represents another instance of activity for the element of the structured data as recited);
“determining whether the possible instance of malicious activity for the element of structured data matches other instances of activity for the element of the structured data that deviated from assessment standard” (see Kumar et al., Fig. 3 and [0053]-[0054] for determining/verifying an attempt to modify a domain name service setting by verifying an attribute of modification (e.g., new IP address) against other IP addresses in one or more data structures in the IP address databases (e.g., a whitelist, a blacklist, etc.)); and
“when the possible instance of malicious activity for the element of structured data fails to match other instances of activity for the element of structured data, communicating the possible instance of malicious activity for the element of structured data as a security finding to an entity overseeing the structured data” (see Kumar et al., [0054] and [0058] when the new IP address (representing the activity of modification of the DNS setting) fails to match the IP addresses in the whitelist and matches an IP address in the backlist, the new IP address is identified as bad and is notified to a user associated with the client; also see [0025]-[0026]).

As to claims 2 and 12, these claim are rejected based on the same reason as above to reject claims 1 and 11 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
 “when the possible instance of malicious activity for the element of the structured data is not a result of malicious code, updating, by the data processing hardware, the registry to include the possible instance of malicious activity for the element of structured data” (see Kumar et al., [0048] for updating the whitelist with IP addresses identified as good IP addresses, and updating the backlist with IP addresses identified as bad IP addresses).

As to claims 3 and 13, these claim are rejected based on the same reason as above to reject claims 1 and 11 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
“when the possible instance of malicious activity for the element of structured data matches other instances of activity for the element of structured data, determining, by the data processing hardware, that the possible instance of malicious activity fails to correspond to a respective security finding” (see Kumar et al., Fig. 4, [0041] and [0054] when the new IP address is matched to an IP address in the IP address whitelist, the new IP address is identified as good, the modification request/activity is verified and allowed to be performed).

As to claims 4 and 14, these claim are rejected based on the same reason as above to reject claims 3 and 13 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
“communicating, by the data processing hardware to a source of the indication of a possible instance of malicious activity for an element of structured data, that the possible instance of malicious activity for the element of structured data corresponding to an expected instance of behavior” (see Kumar et al., [0057] for returning to the monitoring module (i.e. source) an indication that the new IP address is good (i.e., expected instance of behavior)).

As to claims 5 and 15, these claim are rejected based on the same reason as above to reject claims 1 and 11 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
“wherein determining whether the possible instance of malicious activity for the element of structured data matches other instances of activity for the element of structured data comprising” (see Kumar et al., [0051]-[0052] and Fig. 3 for verifying the source and/or attribute of the modification activity by comparing the source and/or attribute (e.g., IP address) against the source database and the IP address database):
“identifying that a threshold number of other activity instances match the possible instance of malicious activity” (see Kumar et al., [0053]-[0054] for determining if the IP address matched/found in the whitelist or the blacklist); and 
“communicating that the possible instance of malicious activity of the element of structured data corresponds to an expected instance of behavior” (see Kumar et al., [0057] for returning to the monitoring module (i.e. source) an indication that the new IP address is good (i.e., expected instance of behavior)).

As to claims 6 and 16, these claim are rejected based on the same reason as above to reject claims 1 and 11 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
“wherein the attributes comprises at least one of creator information, version information or data type” (see Kumar, [0017]-[0018] wherein each attribute corresponding to a registry setting/key (e.g., IP address setting), wherein each setting represents different data type).

As to claims 7 and 17, these claim are rejected based on the same reason as above to reject claims 1 and 11 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
“wherein the registry logs instances of activity for the element of structured data over a period of time from multiple computing devices” (see Kumar et al., [0048] for updating the IP address database (i.e., the registry) with IP addresses over time from one or more computers).

As to claims 8 and 18, these claim are rejected based on the same reason as above to reject claims 1 and 11 respectively, and are similarly rejected including the following:
Kumar et al. teaches:
“wherein determining whether the possible instance of malicious activity for the element of structured data matches other instances of activity for the element of structured data comprises determining whether the possible instance of malicious activity for the element of structured data is expected or unexpected based on a heuristic or at least one rule” (see Kumar et al., Fig. 3, [0053]-[0054] and [0057]-[0058] for determining whether the modification to a DSN setting is allowed/expected or not allowed based on comparing the new IP address associated with the modification to an IP address whitelist and/or blacklist).

Claims 9 and 19 (effective filing date 10/23/2017) are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (U.S. Publication No. 2013/0247183, Publication date 09/19/2013), and further in view of Spitz et al. (U.S. Publication No. 2016/0364434, Publication date 12/15/2016).

As to claims 9 and 19, Kumar teaches all limitations as recited in claims 8 and 18 respectively.
However, Kumar does not explicitly teach a feature for generating/determining a rule based on analyzing data as equivalently recited as follows:
“statistically analyzing, by the data processing hardware, the registry to determine the at least one rule indicating whether the possible instance of malicious activity for the element of structured data is expected or unexpected”.
On the other hand, Spitz et al. teaches a feature a feature for generating/determining a rule based on analyzing data as recited as follows:
“statistically analyzing, by the data processing hardware, the registry to determine the at least one rule indicating whether the possible instance of malicious activity for the element of structured data is expected or unexpected” (see Spitz et al., [0061] for generating rule(s) based on analyzing historical data, wherein a rule can indicate whether an automatically determined allowed/expected or prohibited/unexpected characteristic of the value/activity in a field (i.e., element) of a data record (i.e., structured data) (see [0060] and [0062])).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Spitz et al.'s teaching to Kumar et al.’s system by implementing a feature of generating rules for evaluating data based on analyzing data.  Ordinarily skilled artisan would have been motivated to do so to provide Kumar et al.’s system with an effective way to identify expected/allowed or unexpected/disallowed changes using rules generated based on historical data as suggested by Spitz et al. (see [0060]-[0062]).  In addition, both of the references (Kumar et al. and Spitz et al.) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, detecting suspicious/prohibited/invalid data issues by comparing data with stored/defined expected data.  This close relation between both of the references highly suggests an expectation of success.

Claims 10 and 20 (effective filing date 10/23/2017) are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (U.S. Publication No. 2013/0247183, Publication date 09/19/2013), and further in view of Jang et al. (U.S. Publication No. 2009/0133126, Publication date 05/21/2009).

As to claims 10 and 20, Kumar teaches all limitations as recited in claims 8 and 18 respectively.
However, Kumar does not explicitly teach:
“wherein the structured data comprises binary data”.
On the other hand, Jang et al. explicitly teaches:
“wherein the structured data comprises binary data” (see Jang et al., [0042] wherein DLLs are binary data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Jang et al.'s teaching to Kumar et al.’s system by implementing structured data including binary data.  Ordinarily skilled artisan would have been motivated to do so to provide Kumar et al.’s system with an effective way to identify malicious activity associated with different structured data including structured data with binary data.  In addition, both of the references (Kumar et al. and Jang et al.) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, detecting suspicious/prohibited/invalid data issues by comparing data with stored/defined expected data.  This close relation between both of the references highly suggests an expectation of success.





















Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHUONG THAO CAO whose telephone number is (571)272-2735. The examiner can normally be reached Monday - Friday: 9:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashish Thomas can be reached on 571-272-0631. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Phuong Thao Cao/Primary Examiner, Art Unit 2164