DETAILED ACTION

The following is a Final office action in response to the Amendments filed on November 23, 2022.

Claim 1-3, 8-10, and 15-17 have been amended.

Claims 1-20 are pending.

Response to Arguments
 

	35 U.S.C. 103 Rejections
	Applicant’s argument regarding the 103-rejection filed on November 23, 2022 have been fully considered but are moot because the arguments do not apply to the combination of references being used in the current rejection. For at least these reasons, applicant’s arguments are considered not persuasive. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Savagaonkar (U.S. PGPub 2007/0237080) in view of Parker at al. (USPGPub 2012/0233311) and further in view of Conner et al. (USPGPub 2003/0056047).

	As per claim 1, Savagaonkar teaches a method comprising:
 intercepting, by a monitoring component on a mobile device, a stream of data of a packet of unknown length being communicated to or from an application running on the mobile device, the packet having a packet header or a packet trailer (Savagaonkar, see paragraph [0025], Host 110 is coupled to an inline processing unit (IPU) 120. IPU 120 includes components that are in the direct path of inbound/outbound network traffic of host 110. The IPU 120 can be implemented within a network interface card (NIC) or it can be a stand-alone processing unit located between the host 110 and any NIC hardware. IPU 120 includes packet filters 121, which operate on Internet Protocol (IP) packet headers, including Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packet headers, of the host network traffic.)
 tracking, by the monitoring component, a number of intercepted bytes of the packet from the stream (Savagaonkar, see paragraph [0025], The use of packet filters 121 allows IPU 120 to take specific actions, such as dropping packets. IPU 120 also includes a packet-header cache 122, which holds copies of time-stamped packet headers corresponding to the inbound/outbound network traffic of host 120.)
 examining, by the monitoring component, the packet header or the packet trailer wherein the monitoring component is configured to terminate the examining upon reading the number of intercepted bytes (Savagaonkar, see paragraph [0028], a heuristic rules engine 132, which applies various worm containment heuristic rules/algorithms to the packet headers obtained from the packet-header cache 122 of IPU 120. In one embodiment, if heuristic rules engine 132 detects evidence of anomalous traffic) and
 providing the network data to a remote server (Savagaoinkar, see paragraph [0028], heuristic rules engine 132 can send an alert to a remote administrator through an out-of-band (OOB) management channel 160).
Savagaoinkar doesn’t explicitly teach examining the packet header or the packet trailer for a predetermined set of types of network data.
In analogous art Parker teaches examining the packet header or the packet trailer for a predetermined set of types of network data (Parker, see paragraph [0028], when monitoring the traffic flows, analyze packets associated with the traffic flows in a stateful manner (e.g., by analyzing the contents of packet headers, trailers, etc.). When analyzing the packets with respect to layer one, for example, AR server 220 may identify a quantity of bandwidth being used by user device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Parker and apply them on the teaching of Savagaoinkar as doing so would help in detecting network anomalies. (Parker, see paragraph [0028], [0029]).
Savagaoinkar-Parker doesn’t explicitly teach tracking by the monitoring component by incrementing a counter that represents the number of intercepted bytes and also doesn’t teach terminate the examining upon reading the number of intercepted bytes represented by the counter. 
In analogous art Connor teaches tracking by the monitoring component by incrementing a counter that represents the number of intercepted bytes (Connor, see paragraph [0030], monitoring the number of outstanding packets in the packet queue of the protocol stack comprises identifying a number of packets indicated to the protocol stack (e.g., by incrementing a counter each time the device driver indicates a packet to the protocol stack)). Connor also teaches terminate the examining upon reading the number of intercepted bytes represented by the counter (Connor, see paragraph [0030], identifying a number of packets processed by the protocol stack (e.g., by incrementing a counter each time the protocol stack signals completion of a packet).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Connor and apply them on the teaching of Savagaoinkar-Parker as doing so would prevent dropped packets and also prevent degraded overall system performance. (Connor, see [paragraph [0007], [0008]).

As per claim 2, Savagaoinkar-Parker-Connor teaches the method of claim 1, further comprising triggering initiation of the intercepting upon detecting creation of a connection between the mobile device and a second remote server (Savagaoinkar, see paragraph [0032], a packet header containing an indication of a unique network connection is a trigger for an interesting event. A unique connection may be characterized by a unique source port, destination port, and/or destination address for a packet. This heuristic may be referred to as a "new connections" heuristic. In another embodiment, a packet header containing an indication of a unique destination IP address triggers an interesting event. This heuristic is an example of a "pure address-scan" heuristic).

As per claim 3, Savagaoinkar-Parker-Connor teaches the method of claim 1, wherein the monitoring component is configured to intercept the stream of data by intercepting calls by the mobile device to read or write to the stream (Savagaoinkar, see paragraph [0019], A "traffic window," as used herein, is a fixed period of time during which network traffic-flow is monitored by the system and events are analyzed using one or more heuristic algorithms/rules. The length of the time period defining the traffic window is referred to herein as the "window size" or "timescale." Thus, the window size or timescale defines the point in time at which counters corresponding to respective traffic windows are reset, marking the beginning of the new traffic window(s)).
As per claim 4, Savagaoinkar-Parker-Connor teaches the method of claim 1, wherein the monitoring component is configured to determine that the predetermined set of types of network data have been obtained from the packet header or the packet trailer, and terminate the examining of the packet header or the packet trailer prior to reading a remainder of the intercepted bytes. (Savagaoinkar, see paragraph [0036], After a counter is incremented 340, the relevant heuristic determines whether the total count has exceeded the threshold value for the traffic window 350. If the count exceeds the threshold for the traffic window, a network circuit breaker is tripped to quarantine/isolate the host system from the network 370).

As per claim 5, Savagaoinkar-Parker-Connor teaches the method of claim 1, wherein the monitoring component is configured to determine that the examining has read an entirety of the packet header or the packet trailer, and advance to a next packet from the stream without examining a payload of the packet (Savagaoinkar, see paragraph [0031], The process relies on the detection of "interesting events." When the total count of detected interesting events exceeds a pre-determined threshold, an alarm is triggered and the host operating system is quarantined/isolated from the network. Thus, for a given traffic window, the system maintains a corresponding counter. At the beginning of a new traffic window, the corresponding counter is initialized 310. After initialization, the system retrieves the next packet header from the packet cache 320 and determines whether an interesting event has occurred 330. Interesting events are determined by heuristic analysis).

As per claim 6, Savagaoinkar-Parker-Connor teaches the method of claim 1, wherein the monitoring component is configured to determine that the examining has read an entirety of the packet header or the packet trailer, and determine whether the examining has read a packet size of the packet from the packet header or the packet trailer (Savagaoinkar, see paragraph [0025], PU 120 includes packet filters 121, which operate on Internet Protocol (IP) packet headers, including Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packet headers, of the host network traffic. The use of packet filters 121 allows IPU 120 to take specific actions, such as dropping packets. IPU 120 also includes a packet-header cache 122, which holds copies of time-stamped packet headers corresponding to the inbound/outbound network traffic of host 120. The packet header copies are deposited into the cache 122 after passing through the packet filters 121).

As per claim 7,
		[Rejection rational for claim 5 is applicable]. 

As per claim 8, 
		[Rejection rational for claim 1 is applicable]. 

As per claim 9, Savagaoinkar-Parker-Connor teaches the system of claim 8, the operations further comprising triggering initiation of the intercepting upon detecting creation of a connection between the mobile device and a second remote server (Savagaoinkar, see paragraph [0032], a packet header containing an indication of a unique network connection is a trigger for an interesting event. A unique connection may be characterized by a unique source port, destination port, and/or destination address for a packet. This heuristic may be referred to as a "new connections" heuristic. In another embodiment, a packet header containing an indication of a unique destination IP address triggers an interesting event. This heuristic is an example of a "pure address-scan" heuristic).

As per claim 10, Savagaoinkar-Parker-Connor teaches the system of claim 8, wherein the monitoring component is configured to intercept the stream of data by intercepting calls by the mobile device to read or write to the stream. (Savagaoinkar, see paragraph [0019], A "traffic window," as used herein, is a fixed period of time during which network traffic-flow is monitored by the system and events are analyzed using one or more heuristic algorithms/rules. The length of the time period defining the traffic window is referred to herein as the "window size" or "timescale." Thus, the window size or timescale defines the point in time at which counters corresponding to respective traffic windows are reset, marking the beginning of the new traffic window(s)).

As per claim 11, Savagaoinkar-Parker-Connor teaches the system of claim 8, wherein the monitoring component is configured to determine that the predetermined set of types of network data have been obtained from the packet header or the packet trailer, and terminate the examining of the packet header or the packet trailer prior to reading a remainder of the intercepted bytes (Savagaoinkar, see paragraph [0036], After a counter is incremented 340, the relevant heuristic determines whether the total count has exceeded the threshold value for the traffic window 350. If the count exceeds the threshold for the traffic window, a network circuit breaker is tripped to quarantine/isolate the host system from the network 370).

As per claim 12, Savagaoinkar-Parker-Connor teaches the system of claim 8, wherein the monitoring component is configured to determine that the examining has read an entirety of the packet header or the packet trailer, and advance to a next packet from the stream without examining a payload of the packet (Savagaoinkar, see paragraph [0031], The process relies on the detection of "interesting events." When the total count of detected interesting events exceeds a pre-determined threshold, an alarm is triggered and the host operating system is quarantined/isolated from the network. Thus, for a given traffic window, the system maintains a corresponding counter. At the beginning of a new traffic window, the corresponding counter is initialized 310. After initialization, the system retrieves the next packet header from the packet cache 320 and determines whether an interesting event has occurred 330. Interesting events are determined by heuristic analysis).

As per claim 13, Savagaoinkar-Parker-Connor teaches the system of claim 8, wherein the monitoring component is configured to determine that the examining has read an entirety of the packet header or the packet trailer, and determine whether the examining has read a packet size of the packet from the packet header or the packet trailer (Savagaoinkar, see paragraph [0025], PU 120 includes packet filters 121, which operate on Internet Protocol (IP) packet headers, including Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packet headers, of the host network traffic. The use of packet filters 121 allows IPU 120 to take specific actions, such as dropping packets. IPU 120 also includes a packet-header cache 122, which holds copies of time-stamped packet headers corresponding to the inbound/outbound network traffic of host 120. The packet header copies are deposited into the cache 122 after passing through the packet filters 121).

As per claim 14,
		[Rejection rational for claim 12 is applicable]. 

As per claim 15, 
		[Rejection rational for claim 1 is applicable]. 

As per claim 16, Savagaoinkar-Parker-Connor teaches the one or more non-transitory computer storage media of claim 15, the operations further comprising triggering initiation of the intercepting upon detecting creation of a connection between the mobile device and a second remote server (Savagaoinkar, see paragraph [0032], a packet header containing an indication of a unique network connection is a trigger for an interesting event. A unique connection may be characterized by a unique source port, destination port, and/or destination address for a packet. This heuristic may be referred to as a "new connections" heuristic. In another embodiment, a packet header containing an indication of a unique destination IP address triggers an interesting event. This heuristic is an example of a "pure address-scan" heuristic).

As per claim 17, Savagaoinkar-Parker-Connor teaches the one or more non-transitory computer storage media of claim 15, wherein the monitoring component is configured to intercept the stream of data by intercepting calls by the mobile device to read or write to the stream (Savagaoinkar, see paragraph [0019], A "traffic window," as used herein, is a fixed period of time during which network traffic-flow is monitored by the system and events are analyzed using one or more heuristic algorithms/rules. The length of the time period defining the traffic window is referred to herein as the "window size" or "timescale." Thus, the window size or timescale defines the point in time at which counters corresponding to respective traffic windows are reset, marking the beginning of the new traffic window(s)).

As per claim 18, Savagaoinkar-Parker-Connor teaches the one or more non-transitory computer storage media of claim 15, wherein the monitoring component is configured to determine that the predetermined set of types of network data have been obtained from the packet header or the packet trailer, and terminate the examining of the packet header or the packet trailer prior to reading a remainder of the intercepted bytes. (Savagaoinkar, see paragraph [0036], After a counter is incremented 340, the relevant heuristic determines whether the total count has exceeded the threshold value for the traffic window 350. If the count exceeds the threshold for the traffic window, a network circuit breaker is tripped to quarantine/isolate the host system from the network 370).

As per claim 19, Savagaoinkar-Parker-Connor teaches the one or more non-transitory computer storage media of claim 15, wherein the monitoring component is configured to determine that the examining has read an entirety of the packet header or the packet trailer, and advance to a next packet from the stream without examining a payload of the packet (Savagaoinkar, see paragraph [0031], The process relies on the detection of "interesting events." When the total count of detected interesting events exceeds a pre-determined threshold, an alarm is triggered and the host operating system is quarantined/isolated from the network. Thus, for a given traffic window, the system maintains a corresponding counter. At the beginning of a new traffic window, the corresponding counter is initialized 310. After initialization, the system retrieves the next packet header from the packet cache 320 and determines whether an interesting event has occurred 330. Interesting events are determined by heuristic analysis).

As per claim 20,
		[Rejection rational for claim 19 is applicable]. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HERMON ASRES whose telephone number is (571)272-4257. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HERMON ASRES/Primary Examiner, Art Unit 2449