DETAILED ACTION
This action is responsive to RCE filed on 05/23/2025. Claims 1 and 5 are independents. Claims 1-5 are amended. Claims 1-8 are currently pending.
Response to Arguments
Claim 1-8 rejection under 35 U.S.C. 112(a) is withdraw in view of amendment.
Claims 1, 3, 5 and 7 rejection under 35 U.S.C. 101 is withdraw in view of amendment.
Claim 1, 3-5, 7-8 rejection under 35 U.S.C. 112(b) is maintained because applicant didn’t address the prior rejection on record.
Applicant argued on pp.9-11 of Remarks, filed on 11/10/2025, regarding rejection under 35 U.S.C. 103 are moot. However, upon further consideration and search, a new ground rejection is made with newly found prior art.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Where applicant acts as his or her own lexicographer to specifically define a term of a claim contrary to its ordinary meaning, the written description must clearly redefine the claim term and set forth the uncommon definition so as to put one reasonably skilled in the art on notice that the applicant intended to so redefine that claim term. Process Control Corp. v. HydReclaim Corp., 190 F.3d 1350, 1357, 52 USPQ2d 1029, 1033 (Fed. Cir. 1999).
The term “coupling destination” is terminology inconsistent with the accepted meaning in the relevant art. A person having ordinary skill in the art would not ascertain what is meant with a “coupling destination” as it is not a standard term used in the field of cybersecurity or networking, and the specification does not provide a clear and explicit definition. Consequently, the scope of the term is unclear as the metes and bounds of the term are not clearly defined, rendering the claim indefinite under 35 U.S.C. 112(b).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3-5, 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Yoshida et al. (US 20180137274 A1), hereinafter Yoshida, in view of Nickolov et al. (US 20170034023 A1), hereinafter Nickolov, further in view of Zhu (CN 103914650 A), additionally in view of Kras et al. (US 20200177612 A1), hereinafter Kras and Chiba et al. (US 2018/0034766), hereinafter Chiba.
Regarding claims 1 and 5, Yoshida teaches a computer system, comprising:
at least one processor (para. 0008, processor);
a network interface coupled to the at least one processor and to a network; a server coupled to the network (para. 0021, an interface 13
connected to the network 20);
a memory storing instructions that when executed by the at least one processor, configure the processor to (para. 0021, a memory 11 that retains programs and data; para. 0022, the virtual machines 14-1 to 14-n is loaded to the memory 11 and executed by the processor 10):
detect a variation of the coupling destination based on results of cyclic observation of the coupling destination, output a result of the detection (para. 0070, On the other hand, if a command to stop monitoring has not been received, then the process returns to step S1, and activities of the malware 210 are monitored, repeating the process above; para. 0084, In step S31, the communication spoofing unit 110 acquires the communication content transmitted by the malware 210. In step S32, the destination is selected from the communication content acquired by the communication spoofing unit 110, and searched in the communication determination database 140; para. 0085, in step S33, the communication spoofing unit 110 determines whether or not the destination of the communication by the malware 210 is defined in the communication determination database 140; para. 0086, In step S34, the communication spoofing unit 110 acquires the spoofed communication content 142 corresponding to the destination 141 in the search results from the communication determination database 140, and executes the spoofed communication content 142. In the present embodiment, the communication spoofing unit 110 changes the destination of communication (packets) from the malware 210 to an address of the dummy server 30 and performs communication. Prior to performing communication, the communication spoofing unit 110 issues a request to the malware communication blocking unit 130 for a port to be opened. The malware communication blocking unit 130 opens the port requested by the malware 210 for use).
Yoshida does not explicitly teach: store, in the server via the network, at least observation information of observing the coupling destination the variation information corresponding to the coupling destination that allows sharing among a plurality of external computers. However, in an analogous art, Nickolov teaches: store, in the server via the network, at least observation information of observing the coupling destination the variation information corresponding to the coupling destination that allows sharing among a plurality of external computers (para. 0208, Stores telemetry data, analysis results, subscriber information; para. 0211, Store received telemetry information about Tracked Servers [0212] Retrieve intermediate analytics data/state to facilitate further computations/machine learning; the format saved can be the predetermined structured language).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Nickolov’s cyclic observation and sharing analysis results both of which combined can make the analysis more robust.
The combination of Yoshida and Nickolov does not explicitly teach the elements of a date and time of observing the coupling destination and a response code indicating a response from the coupling destination; the element of response code; the element of comparing a first response code and a second response code corresponding to the coupling destination. However, in an analogous art, Zhu teaches a date and time of observing the coupling destination and a response code indicating a response from the coupling destination, or adding element of date and time or timestamp to event; the element of response code (paras. 0014, 0033 (hash value mapped to code), 0108, and 0112).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Zhu’s timestamp for precise description of the variation happened at what time.
The combination of Yoshida, Nickolov and Zhu does not explicitly teach the elements of comparing a first response code and a second response code (corresponding to the coupling destination), and storing a result of the comparison as variation information (indicating whether there is a variation). However, in an analogous art, Kras teaches the element of comparing a first response code and a second response code (corresponding to the coupling destination), and storing a result of the comparison as variation information (indicating whether there is a variation) (para. 0009, [a] server may be configured to execute a cybersecurity attack across a plurality of user's computers on a network, monitor the computers and the network for interactions between the computers and the network indicating responses [two or more] to the attack and compare these responses against predetermined responses that have been identified to minimize the impact of the attack on the company. The predetermined responses may include identification of a primary attack point of the simulated cybersecurity attack, disconnection of one or more infected computer systems from the network, and/or quarantine of one or more computers that are associated with the one or more infected computer systems).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kras’s teaching of comparing two more responses to find variation for precise description of the variation happened.
However, Yoshida as modified does not explicitly teach but Chiba discloses:
a plurality of independent agents, which are computers coupled to the network and are independent of the server and the at least one processor ([0035]: the communication partner specifying unit 101 acquires the input lists and information about the communication partners listed on the lists. The input list of communication partners may include a list of known malignancy communication partners clear to be malignant and a list of known benign communication partners clear to be benign);
output an analysis result of a sample of a malicious proqram relatinq to cyber attack including at least a coupling destination to and from which the malicious program communicates … the couplinq destination beinq an address ([0050]: The DNS query transmission controller 102 controls a DNS client to cause the DNS client to transmit a DNS query to the subject communication partner in the set cycle and collects the IP address corresponding to the subject communication partner from the response to the DNS query);
cyclically instruct at least one agent , of the plurality of agents, configured to observe the coupling destination to observe the coupling destination, and to output result information of the observation of the coupling destination, which has been obtained from the at least one agent, determine whether blocking of the communication to the coupling destination is required based on the output result information, and to output a determination result, and store the output result information and the output determination result in the predetermined structured language ([0062]: The DNS server communication monitoring unit 150 monitors the DSN server, collects IP addresses corresponding to the subject communication partner and the correspondence relationship log information creator 103 creates log information from the IP addresses corresponding to the subject communication partner, which are the IP addresses collected by the DNS server communication monitoring unit 150, and the times at each of which a response is made to a DNS query. [0059]: it is possible to use the log information created by the communication partner correspondence relationship collecting device 100 to create a blacklist of communication partners and calculate malignancy).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Chiba’s teaching of monitoring plural communication partners and outputting monitor information to block the malicious communication partners.
Regarding claims 3 and 7, Yoshida as modified teaches all the limitations of claims 2 and 6, respectively, as shown above. Yoshida further teaches: wherein the at least one processor is configured to instruct, based on an observation cycle set to the coupling destination, the at least one agent to observe the coupling destination, and change the observation cycle based on the output result information (para. 0471, one or more different threads or instances of the DataGrid procedures may be initiated and/or implemented manually, automatically, statically, dynamically, concurrently, and/or combinations thereof. Additionally, different instances and/or embodiments of the DataGrid procedures may be initiated at one or more different time intervals (e.g., during a specific time interval, at regular periodic intervals, at irregular periodic intervals, upon demand, etc.); para. 0762, The number of datapoints known by the DataGrid System for the package change operation (e.g., the number of times such an upgrade or downgrade has occurred historically))..
Regarding claims 4 and 8, Yoshida as modified teaches all the limitations of claims 1 and 5, respectively, as shown above. Yoshida further teaches:
wherein the at least one processor is configured to:
determine, based on the detection result, whether the dynamic analysis for the sample of the malicious program that communicates to and from the coupling destination is required to execute again (para. 0070, In step S7, the response spoofing unit 120 determines whether or not a command to stop monitoring has been received from a management server (not shown) or an input device (not shown). If a command to stop monitoring is received, then the process is stopped. On the other hand, if a command to stop monitoring has not been received, then the process returns to step S1, and activities of the malware 210 are monitored, repeating the process above) and
execute the dynamic analysis for the sample of the malicious program in a case where it is determined that the dynamic analysis for the sample of the malicious program that communicates to and from the coupling destination is required to execute again, and output the analysis result, and store information newly output from the analysis module in the predetermined structured language a form that allows sharing among the plurality of external computers (para. 0071, By the process above, if the virtual machine is infected by the malware 210, the response spoofing unit 120 can spoof the environment of a physical computer to the malware 210, and the communication content of the malware 210 can be accumulated in the dummy server 30 by the communication spoofing unit 110).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached on M-F 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALEXANDER LAGOR can be reached on 571-270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MENG LI/Primary Examiner, Art Unit 2437