Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments filed 01/28/2026 have been fully considered and are moot in view of the new grounds of rejection presented herein.
Applicant argues Brooks fails to disclose “assigning a score to each property associated with the at least one identified process” because Brooks only disclose assigning an overall score to the process and does not assign scores to a property associated with the process.
The claim language recites: assigning a score to each property associated with the at least one identified process, wherein the at least one property includes a path from which the process is executing, a reputation of a domain associated with the process, or a reputation of a uniform resource locator (URL) associated with the identified process; and the assigned score represents whether the associated property indicates the process or file is malicious.
Brooks discloses a score associated with the process referred to as a SAGScore (Brooks, ¶ 69-72). Brooks discloses scoring the URL associated with the identified process with a risk score representing whether the process is malicious (Brooks, ¶ 71).
Applicant’s further arguments are moot in view of the new grounds of rejection presented herein.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-4, 6-11, 13-18, and 20-23 are rejected under 35 U.S.C. 103 as being unpatentable over US 20210029151 to Brooks in view of US 10,454,689 to Mehr in view of US 20210200870 to Yavo.
Regarding claim 1,
Brooks teaches a method for detecting malicious network activity, the method comprising:
communicating a request from a user device to a server to access a network resource on the server (fig. 7, request to obtain software);
receiving at an interface of the user device at least one feature of a digital certificate (¶ 54, reception of digital certificate);
comparing, using one or more processors executing instructions stored on memory on the user device, at least one feature of the digital certificate with a certificate attribute that is known to be associated with a legitimate certificate issuer (¶ 63, 66, comparison and verification of digital certificate attributes),
identifying, using the one or more processors, at least one process associated with the digital certificate after comparing the at least one feature of the digital certificate with the certificate attribute that is known to be associated with the legitimate certificate issuer, wherein the at least one process is identified on the user device (¶ 54, 56, 109, identification of software associated with digital certificate, verification of ; comparison of features of digital certificate to verify digital certificate; see also ¶ 52, 66);
analyzing, using the one or more processors, at least one property associated with the at least one identified process to determine whether, and to what extent, the identified process associated with the digital certificate is behaving anomalously (¶ 61, 55, 63, 66, analysis and identification of malicious software);
assigning a score to each property associated with the at least one identified process,
wherein the at least one property includes a path from which the process is executing, a reputation of a domain associated with the process, or a reputation of a uniform resource locator (URL) associated with the identified process, and the assigned score represents whether the associated property indicates the process or file is malicious (¶ 38, 54, 69-72, scoring of properties including URL associated with the identified process with a risk score representing whether the process is malicious );
identifying, using the one or more processors, the at least one process as malicious based on assigned score of each of the at least one property associated with the at least one process and based on comparison of the at least one feature of the digital certificate with the certificate attribute that is known to be associated with the legitimate certificate issuer (¶ 61, 55, 63, 66, 71, certification check and identification of malicious software);
executing at least one remedial action upon identifying the at least one process as malicious (¶ 58, generation of cyber incident report; fig. 6, 608).
Brooks fails to teach but Mehr teaches: wherein the at least one feature includes issuer country, issuer email address, or issuer city (col. 10:45-67, col. 34:60-67, col. 35:1-25).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Mehr. The motivation to do so is that the teachings of Mehr would have been advantageous in terms of facilitating data security (Mehr, col. 11:1-35).
Brooks fails to disclose wherein the process is executing on the user device. However, Yavo discloses wherein the process is executing on the user device (Yavo, ¶ 27).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Yavo. The motivation to do so is that the teachings of Yavo would have been advantageous in terms of facilitating the detection of malicious files (Yavo, ¶ 38).
Regarding claim 2, 9, 16,
Brooks teaches:
wherein the digital certificate is a Secure Sockets Layer (SSL) certificate (¶ 71, 109).
Regarding claim 3, 10, 17,
Brooks teaches:
wherein identifying the at least one process as malicious includes: calculating a score for the at least one process based on the analysis of the at least one property associated with the at least one process, determining whether the calculated score exceeds a threshold value, and identifying the at least one process as malicious upon determining the calculated score exceeds the threshold value (abstract ¶ 43, 69, score exceeding threshold for malicious software).
Regarding claim 4, 11, 18,
Brooks teaches:
wherein receiving the at least one feature of the digital certificate includes: identifying a network communication that uses a Secure Sockets Layer (SSL) protocol; and obtaining an SSL certificate associated with the network communication (¶ 71, 109).
Regarding claim 6, 13, 20,
Brooks fails to teach but Mehr teaches:
wherein the at least one feature of the digital certificate includes at least two or more of issuer name, issuer country, or issuer email address(col. 10:45-67, col. 34:60-67, col. 35:1-25, name, country). Motivation to include Mehr is the same as presented above.
Regarding claim 21, 23,
Brooks fails to teach but Yavo teaches:
wherein the identified process is executing on a first endpoint device on a network, and the method further includes determining that the identified process is attempting to contact at least a second endpoint device on the network, wherein the identification of the process as malicious is further based on the identified process attempting to contact the second endpoint device on the network (¶ 24, malicious classification upon attempt to communicate to network endpoint). Motivation to include Yavo is the same as presented above.
Regarding claim 7, 14,
Brooks teaches:
wherein the process is identified as malicious without decrypting traffic associated with the network communication (¶ 52-56).
Claim 8, 15 addressed by similar rationale as claim 1.
Claim(s) 22 are rejected under 35 U.S.C. 103 as being unpatentable over Brooks, Mehr, and Yavo in view of US 20210352093 to Hassanzadeh.
Regarding claim 22,
Brooks fails to teach but Hassanzadeh teaches:
receiving feedback regarding the identification of the at least one process as malicious, and adjusting the threshold value based on the received feedback (¶ 62, adjusting thresholds based on feedback regarding malicious files).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Hassanzadeh. The motivation to do so is that the teachings of Hassanzadeh would have been advantageous in terms of improving and generating adaptive models (Hassanzadeh, ¶ 62).
CONCLUSION
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RYAN J JAKOVAC whose telephone number is (571)270-5003. The examiner can normally be reached on 8-4 PM EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 572-270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RYAN J JAKOVAC/Primary Examiner, Art Unit 2445
Prosecution Insights