DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The amendment filed on October 14, 2025 has been entered.
Claims 1 and 8 have been amended.
Response to Arguments
Applicant's arguments filed on October 14, 2025 have been fully considered but they are moot in view of the new grounds of rejection
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7-8, 10-13, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Zawoad et al. (Pub. No. US 2019/0387005), hereinafter Zawoad; in view of Mahjoub et al. (Pub. No. US 2017/0041333), hereinafter Mahjoub.
Claim 1. Zawoad discloses a network security system (See Parag. [0032]; a cybersecurity system), including a processor and a storage device including instructions configured to run on the processor (see Parag. [0263]), comprising:
a network traffic analysis tool operative to communicate with a plurality of third- party internet addresses that are separately connected to the Internet and to extract information about traffic with the third-party addresses on the Internet that indicates that ones of the third-party addresses on the Internet are suspected malware support infrastructure addresses (See Parag. [0040]; The cybersecurity system may include various engines that collectively perform operations to calculate maliciousness scores for network identifiers (See Parag. [0016]; network identifier is equivalent to IP address and network domain name). See Parag. [0045]; parameter determination engine (network traffic analysis tool) may collect malicious activity information from various malicious activity sources (e.g., the third-party servers of FIG. 1) (a plurality of third-party addresses), extract and/or calculate various parameters (features) from the collected malicious activity information, and provide the extracted and/or calculated features to the decision engine. See Parag. [0118]; the malicious activity information may provide a list of malware tied to an IP address),
an automated traffic pattern recognition tool that is responsive to the information extracted by the network traffic analysis tool and to enrichment data, and is operative to detect patterns in extracted internet traffic based on the information extracted by the network traffic analysis tool that indicates that ones of the third-party addresses on the Internet are suspected malware support infrastructure addresses (See Parag. [0226]; The model training engine 602 (traffic pattern recognition tool) may receive a feature set provided by the parameter determination engine 316 of FIG. 3… the model training engine 602 may obtain training data including a list of network identifiers (e.g., one or more IP addresses and/or one or more network domain names) with an preassigned maliciousness scores, the training data may include historical maliciousness activity information obtained from one or more malicious activity sources (e.g., the third-party servers described in connection to FIG. 1). See Parag. [0227]; Using the training data, the model training engine 602 may generate and train one or more machine-learning models utilizing the features set and conventional supervised-learning algorithms… the model training engine 602 may score each model according to a degree of accuracy of the output of the model to the preassigned maliciousness scores provided in the training data; a highest scored model may be selected to provide maliciousness scores for network identifiers. See Parag. [0118]; the malicious activity information may provide a list of malware tied to an IP address. See also Parag. [0130]; the malicious activity information may provide a list of malware tied to the network domain),
an identification tool responsive to the traffic pattern recognition tool to identify others of the third-party addresses on the Internet associated with malicious traffic over the Internet based on the patterns detected in the extracted information about traffic with the third- party addresses on the Internet (See Parag. [0229]; scoring engine 604 (identification tool) may be configured to receive (e.g., from the parameter determination engine 316 of FIG. 3) a feature set associated with one or more network identifiers. The feature set may include any combination of the features described in connection with the parameter determination engine 316). The scoring engine 604 may utilize the selected machine-learning model (selected based on the model training engine 602 (traffic pattern recognition tool)) to output a maliciousness score for the network identifier corresponding to the feature set. A maliciousness score can be a numerical value. In some cases, the maliciousness score can corresponds to a classification label that identifies a security risk. As a non-limiting example, reputation labels may include “Critical,” “High,” “Medium,” and “Low.” where “Critical” reputation labels indicate a highest risk severity and “Low” reputation labels indicate a lowest risk severity (identify others of the third-party addresses as belonging to victims associated with the suspected attack support infrastructure addresses)), and
storage responsive to the identification tool for storing the recorded suspected malware support infrastructure addresses (See Parag. [0229]; The output may be stored as historical malicious activity information to be used to update/train machine-learning algorithm. See also Parag. [0233]; the maliciousness scores may be stored in the maliciousness scores data store. The maliciousness scores data store 710 may be included as part of the data store 312 of FIG. 3 (See Parag. [0048])).
Zawoad further discloses the addresses as third party addresses, but, Zawoad doesn’t explicitly disclose extracting information about traffic by scanning the third-party addresses with one or more signatures, the suspected malware support infrastructure addresses are scanned, identify others of the third-party addresses on the Internet as belonging to victims associated with malicious traffic over the Internet between the suspected malware support infrastructure addresses and the third-party addresses on the Internet belonging to victims, storing both the recorded suspected malware support infrastructure addresses and the third-party addresses for the identified victims on an ongoing basis.
However, Mahjoub discloses extract information about traffic with the addresses on the Internet that indicates that ones of the addresses on the Internet are suspected malware support infrastructure addresses by scanning the addresses with one or more signatures (See Parag. [0053-0063]; a method 140 performed by the CDD (compromised domain detection) subsystem to detect and potentially block malicious domains or IP addresses, according to an example embodiment. Generally, the CDD subsystem utilizes DNS traffic above a recursive DNS name server level to detect and classify malicious domains. The traffic is typically captured in authoritative logs that are returned from authoritative name servers in response to DNS queries from a recursive DNS nameserver or resolver … the CDD subsystem extract IP address information to map the IP space used for malware infrastructure and find additional compromised IP space. In particular, the CDD subsystem may use the IP address of a mismatched hostname to determine a corresponding IP address range ... These IP address ranges provide information regarding the IP space used for malware infrastructure. For example, small ranges of IP addresses with mismatched hostname and SLD ASNs may be blocked. Moreover, a hoster associated with the IP address range can be used to determine any other IP address ranges associated with the same hoster. An IPWHOIS database can be used to determine additional hoster information for searching to find other IP address ranges ... See Parag. [0087]; the CDD subsystem may use fingerprinting utilities such as NMAP, MASSCAN, or other TCP/IP fingerprinting/scanning utilities. See also Parag. [0064]. Applicant discloses in the specification that large-scale scanning tools, such as Unicorn Scan, Zmap, or MASSCAN can be configured to scan large parts of a network, such as all of the IP addresses in a defined address range),
identify others of the third-party addresses on the Internet as belonging to victims associated with malicious traffic over the Internet between the suspected malware support infrastructure addresses and the addresses on the Internet belonging to victims (See Parag. [0059]; detecting compromised domains within large hosting providers. It has been observed that attackers have adopted a pattern of compromising thousands of domains … See Parag. [0063]; … a hoster associated with the IP address range can be used to determine any other IP address ranges associated with the same hoster. An IPWHOIS database can be used to determine additional hoster information for searching to find other IP address ranges. See also Parag. [0061] [0074]),
storing both the recorded suspected malware support infrastructure addresses and the addresses for the identified victims on an ongoing basis (See Parag. [0063]; These IP address ranges can also be blacklisted. See Parag. [0081]; the CDD subsystem adds the hoster and any associated IP address ranges of the hoster to a database or other storage of rogue hosters. Although not shown, the system may also add the derived IP address ranges to a black list automatically. In another example, the system may further examine the additional IP address ranges before adding them to a black list. See also Parag. [0039]).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the cybersecurity system, taught by Zawoad, to include extracting information about traffic by scanning the addresses with one or more signatures, identify others of the addresses on the Internet as belonging to victims and storing both the recorded suspected malware support infrastructure addresses and the addresses for the identified victims on an ongoing basis, as taught, by Mahjoub. This would be convenient to efficiently discover suspicious reserved ranges of IP addresses and sweep en masse for candidate suspicious IPs and domains. The system provides actionable intelligence and preemptively detects and blocks malicious IP infrastructures prior to, or immediately after some of them are used to wage malware campaigns, therefore decisively closing the detection gap (Mahjoub, Parag. [0022]).
Claim 2. Zawoad in view of Mhajoub discloses the system of claim 1,
Zawoad further discloses wherein the extracted internet traffic is extracted from the internet with a flow information extraction tool (See Parag. [0045]; parameter determination engine may collect malicious activity information from various malicious activity sources (e.g., the third-party servers of FIG. 1) (a plurality of third-party addresses), extract and/or calculate various parameters (features) from the collected malicious activity information, and provide the extracted and/or calculated features to the decision engine. See also Parag. [0118]).
Claim 3. Zawoad in view of Mhajoub discloses the system of claim 1,
Zawoad further discloses wherein the automated traffic pattern recognition tool is responsive to a plurality of third-party enrichment data sources (See Parag. [0226]; The model training engine 602 (traffic pattern recognition tool) may receive a feature set provided by the parameter determination engine 316 of FIG. 3… the model training engine 602 may obtain training data including a list of network identifiers (e.g., one or more IP addresses and/or one or more network domain names) with an preassigned maliciousness scores. In some examples, the training data may include historical maliciousness activity information obtained from one or more malicious activity sources (e.g., the third-party servers described in connection to FIG. 1)).
Claim 4. Zawoad in view of Mhajoub discloses the system of claim 1,
Zawoad further discloses the system further including an enrichment tool to enrich the recorded suspected malware support infrastructure addresses and identified victims (See Parag. [0226]; The model training engine 602 (traffic pattern recognition tool) may receive a feature set provided by the parameter determination engine 316 of FIG. 3… the model training engine 602 may obtain training data including a list of network identifiers (e.g., one or more IP addresses and/or one or more network domain names) with an preassigned maliciousness scores. In some examples, the training data may include historical maliciousness activity information obtained from one or more malicious activity sources (e.g., the third-party servers described in connection to FIG. 1). See Parag. [0118]).
Claim 5. Zawoad in view of Mhajoub discloses the system of claim 1,
Zawoad further discloses wherein the storage is part of a larger database of threat data (See Parag. [0229]; The output may be stored as historical malicious activity information to be used to update/train machine-learning algorithm. See also Parag. [0233]; the maliciousness scores may be stored in the maliciousness scores data store. The maliciousness scores data store 710 may be included as part of the data store 312 of FIG. 3 (See Parag. [0048])).
Claim 7. Zawoad in view of Mhajoub discloses the system of claim 1,
Zawoad further discloses wherein the malware support infrastructure addresses include malware controller addresses (See Parag. [0019]; Threat intelligence information can include high-risk hosts, network domain names, malicious payloads and Internet Protocol (IP) addresses, a threat classification and/or score of an IP address and/or network domain name, malware/phishing identification information, information regarding malicious files associated with an IP address and/or a network domain, indications of criminal intent, and the like).
Claim 8. Zawoad discloses a network security method, comprising:
extracting information about a plurality of separately connected third-party addresses on the internet that indicates that ones of the third-party addresses on the Internet are suspected malware support infrastructure addresses on the Internet (See Parag. [0040]; The cybersecurity system may include various engines that collectively perform operations to calculate maliciousness scores for network identifiers (See Parag. [0016]; network identifier is equivalent to IP address and network domain name). See Parag. [0045]; parameter determination engine (network traffic analysis tool) may collect malicious activity information from various malicious activity sources (e.g., the third-party servers of FIG. 1) (a plurality of third-party addresses), extract and/or calculate various parameters (features) from the collected malicious activity information, and provide the extracted and/or calculated features to the decision engine. See Parag. [0118]; the malicious activity information may provide a list of malware tied to an IP address),
detecting patterns in extracted internet traffic based on the information extracted in the step of extracting (See Parag. [0226]; The model training engine 602 (traffic pattern recognition tool) may receive a feature set provided by the parameter determination engine 316 of FIG. 3… the model training engine 602 may obtain training data including a list of network identifiers (e.g., one or more IP addresses and/or one or more network domain names) with an preassigned maliciousness scores, the training data may include historical maliciousness activity information obtained from one or more malicious activity sources (e.g., the third-party servers described in connection to FIG. 1). See Parag. [0227]; Using the training data, the model training engine 602 may generate and train one or more machine-learning models utilizing the features set and conventional supervised-learning algorithms… the model training engine 602 may score each model according to a degree of accuracy of the output of the model to the preassigned maliciousness scores provided in the training data; a highest scored model may be selected to provide maliciousness scores for network identifiers. See Parag. [0118]; the malicious activity information may provide a list of malware tied to an IP address. See also Parag. [0130]; the malicious activity information may provide a list of malware tied to the network domain),
identifying third party addresses based on the patterns detected in the extracted information about traffic between a plurality of separately connected third-party addresses on the internet and suspected malware support infrastructure addresses on the Internet (See Parag. [0229]; scoring engine 604 (identification tool) may be configured to receive (e.g., from the parameter determination engine 316 of FIG. 3) a feature set associated with one or more network identifiers. The feature set may include any combination of the features described in connection with the parameter determination engine 316). The scoring engine 604 may utilize the selected machine-learning model (selected based on the model training engine 602 (traffic pattern recognition tool)) to output a maliciousness score for the network identifier corresponding to the feature set. A maliciousness score can be a numerical value. In some cases, the maliciousness score can corresponds to a classification label that identifies a security risk. As a non-limiting example, reputation labels may include “Critical,” “High,” “Medium,” and “Low.” where “Critical” reputation labels indicate a highest risk severity and “Low” reputation labels indicate a lowest risk severity (identify others of the third-party addresses as belonging to victims associated with the suspected attack support infrastructure addresses)), and
storing the recorded suspected malware support infrastructure addresses (See Parag. [0229]; The output may be stored as historical malicious activity information to be used to update/train machine-learning algorithm. See also Parag. [0233]; the maliciousness scores may be stored in the maliciousness scores data store. The maliciousness scores data store 710 may be included as part of the data store 312 of FIG. 3 (See Parag. [0048])).
Zawoad further discloses the addresses as third party addresses, but Zawoad doesn’t explicitly disclose extracting information about traffic by scanning the third-party addresses with one or more signatures; identifying victims associated with malicious traffic over the Internet between the suspected malware support infrastructure addresses and the third- party addresses on the Internet belonging to victims; storing both the recorded suspected malware support infrastructure addresses and the addresses for the identified victims on an ongoing basis.
However, Mahjoub discloses:
extracting information about a plurality of separately connected third-party addresses on the internet that indicates that ones of the third-party addresses on the Internet are suspected malware support infrastructure addresses on the Internet by scanning the addresses with one or more signatures (See Parag. [0053-0063]; a method 140 performed by the CDD (compromised domain detection) subsystem to detect and potentially block malicious domains or IP addresses, according to an example embodiment. Generally, the CDD subsystem utilizes DNS traffic above a recursive DNS name server level to detect and classify malicious domains. The traffic is typically captured in authoritative logs that are returned from authoritative name servers in response to DNS queries from a recursive DNS nameserver or resolver … the CDD subsystem extract IP address information to map the IP space used for malware infrastructure and find additional compromised IP space. In particular, the CDD subsystem may use the IP address of a mismatched hostname to determine a corresponding IP address range ... These IP address ranges provide information regarding the IP space used for malware infrastructure. For example, small ranges of IP addresses with mismatched hostname and SLD ASNs may be blocked. Moreover, a hoster associated with the IP address range can be used to determine any other IP address ranges associated with the same hoster. An IPWHOIS database can be used to determine additional hoster information for searching to find other IP address ranges ... See Parag. [0087]; the CDD subsystem may use fingerprinting utilities such as NMAP, MASSCAN, or other TCP/IP fingerprinting/scanning utilities. See also Parag. [0064]. Applicant discloses in the specification that large-scale scanning tools, such as Unicorn Scan, Zmap, or MASSCAN can be configured to scan large parts of a network, such as all of the IP addresses in a defined address range),
identifying victims associated with malicious traffic over the Internet between the suspected malware support infrastructure addresses and the third- party addresses on the Internet belonging to victims (See Parag. [0059]; detecting compromised domains within large hosting providers. It has been observed that attackers have adopted a pattern of compromising thousands of domains … See Parag. [0063]; … a hoster associated with the IP address range can be used to determine any other IP address ranges associated with the same hoster. An IPWHOIS database can be used to determine additional hoster information for searching to find other IP address ranges. See also Parag. [0061] [0074]),
storing both the recorded suspected malware support infrastructure addresses and the third-party addresses for the identified victims on an ongoing basis (See Parag. [0063]; These IP address ranges can also be blacklisted. See Parag. [0081]; the CDD subsystem adds the hoster and any associated IP address ranges of the hoster to a database or other storage of rogue hosters. Although not shown, the system may also add the derived IP address ranges to a black list automatically. In another example, the system may further examine the additional IP address ranges before adding them to a black list. See also Parag. [0039]).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the cybersecurity system, taught by Zawoad, to include extracting information about traffic by scanning the addresses with one or more signatures, identify others of the addresses on the Internet as belonging to victims and storing both the recorded suspected malware support infrastructure addresses and the addresses for the identified victims on an ongoing basis, as taught, by Mahjoub. This would be convenient to efficiently discover suspicious reserved ranges of IP addresses and sweep en masse for candidate suspicious IPs and domains. The system provides actionable intelligence and preemptively detects and blocks malicious IP infrastructures prior to, or immediately after some of them are used to wage malware campaigns, therefore decisively closing the detection gap (Mahjoub, Parag. [0022]).
Claim 10. The applicant is directed to the rejection to claim 2 set forth above, as it is rejected based on the same rationale.
Claim 11. The applicant is directed to the rejection to claim 3 set forth above, as it is rejected based on the same rationale.
Claim 12. The applicant is directed to the rejection to claim 4 set forth above, as it is rejected based on the same rationale.
Claim 13. The applicant is directed to the rejection to claim 5 set forth above, as it is rejected based on the same rationale.
Claim 15. The applicant is directed to the rejections to claim 7 set forth above, as they are rejected based on the same rationale.
Claim 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Zawoad et al. (Pub. No. US 2019/0387005), hereinafter Zawoad; in view of Mahjoub et al. (Pub. No. US 2017/0041333), hereinafter Mahjoub; and in further view of Xu (Pub. No. US 2017/0163603) as applied to claim 1 above.
Claim 6. Zawoad in view of Mahjoub discloses the system of claim 1,
Zawoad doesn’t explicitly disclose: wherein the network security system is operative to automatically identify at least hundreds of malware victims per day
However, Xu discloses: wherein the network security system is operative to automatically identify at least hundreds of malware victims per day (The art teaches in Parag. [0074] that a cloud security service can collect a large number (e.g., tens of thousands) of malware domains on a daily basis (e.g., as security devices/firewalls distributed at various enterprise customer networks can detect and report detected malicious/malware domains to the cloud security service).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the cybersecurity system taught by Zawoad in view of Mahjoub, to include identifying at least hundreds of malware victims per day as taught by Xu. This would be convenient to identify hosts that are infected within a customer's network and/or to prevent future malware infections of hosts on the customer's network (Xu, Parag. [0093]).
Claim 14. The applicant is directed to the rejection to claim 6 set forth above, as it is rejected based on the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to malware identification.
Singh (Pub. No. US 2017/0223037) “Using High-Interaction Networks for Targeted Threat Intelligence;”
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHIZLANE MAAZOUZ whose telephone number is (571)272-8118. The examiner can normally be reached Telework M-F 7:30-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GHIZLANE MAAZOUZ/ Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499