Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after allowance or after an Office action under Ex Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, prosecution in this application has been reopened pursuant to 37 CFR 1.114.
Information Disclosure Statement
The information disclosure statement (IDS) was submitted on January 7, 2026 with the request for continued examination under 37 CFR 1.114. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-4, 6-11, 13-18 and 20-23 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 5, 8, 9, 11, 13, 16 and 17 of copending Application No. 17/932,008 in view of Kuperman et al (U.S. Patent 10,567,410).
This is a provisional nonstatutory double patenting rejection.
Regarding claim 1, Application No. 17/932,008 claims a method for identifying malicious connections between computing devices, the method comprising:
generating a dataset of first handshake parameters for connections to one or more external devices initiated by a first set of software applications, wherein the first set of software applications include one or more known malicious software applications and one or more known non-malicious software applications, wherein for each connection of the connections, a set of handshake parameters is collected, the set of handshake parameters including (Claim 1, lines 8-13):
a first subset of handshake parameters transmitted from the first set of software applications to the one or more external devices in a first setup message (Claim 1, lines 14-16); and
a second subset of handshake parameters transmitted from one of the one or more external devices to the first set of software applications in a second setup message (Claim 1, lines 17-19);
wherein generating the dataset comprises evaluating non-numerical data from the first subset of handshake parameters and the second subset of handshake parameters (Claim 1, lines 20 and 21);
training a machine learning model to predict whether subsequent connections are malicious using the dataset (Claim 1, lines 22-24);
obtaining second handshake parameters for a connection between a first computing device and a target device responsive to at least one software application of a second set of software applications executing on the first computing device initiating the connection to the target device; generating a feature set by extracting features from the second handshake parameters for the connection between the first computing device and the target device, wherein the second handshake parameters include (Claim 1, lines 8-13, wherein the claim generates a dataset of handshake parameters for each respective connection and would therefore have second handshake parameters for a connection responsive to a software application of a second set of software applications):
a first set of parameters transmitted from the first computing device to the target device in a client channel setup message (Claim 1, lines 14-16); and
a second set of parameters transmitted from the target device to the first computing device in a server channel setup message (Claim 1, lines 17-19);
wherein extracting comprises evaluating non-numerical data from the first set of parameters and the second set of parameters (Claim 1, lines 20 and 21).
Application No. 17/932,008 does not claim predicting a maliciousness of the connection between the first computing device and the target device using the trained machine learning model, wherein the extracted features are provided as inputs to the trained machine learning model; and automatically initiating a corrective action if the connection between the first computing device and the target device is predicted to be malicious.
Kuperman teaches (Column 6, line 63 to column 7, line 24) “engine 110 applies 250 an execution model to the execution features to determine whether the executable file is malicious. The execution model may be a machine-learned model that is trained based on execution features of known-malicious executable files and known-non-malicious executable files. These known-malicious executable files and known-non-malicious executable files are thus used as labeled training data for the execution model. The execution model outputs a confidence score representing the execution model’s certainty that the executable file is malicious and the behavior analysis engine 110 determines 260 the maliciousness of the executable file based on the confidence score. In some embodiments, the behavior analysis engine 110 uses a threshold for the confidence score to determine whether the executable file is malicious…. [I]f the confidence score exceeds the threshold, the behavior analysis engine 110 may instruct the network traffic hub to block the network communication ..”
It would have been obvious to one of ordinary skill in the art to use the machine learning model of claim 1 in Application No. 17/932,008 to predict the maliciousness of the connection between the first computing device and the target device, wherein the extracted features are provided as inputs to the trained machine learning model; and automatically initiating a corrective action if the connection between the first computing device and the target device is predicted to be malicious as taught by Kuperman. The rationale is as follows: One of ordinary skill in the art would have been motivated to use the machine learning model to predict the maliciousness of the connection between the first computing device and the target device and to automatically block the connection between the first computing device and the target device when the connection is predicted to be malicious in order to keep malicious software from infecting a device.
Regarding claim 2, Application No. 17/932,008 in view of Kuperman teaches wherein the trained machine learning model outputs a maliciousness score for the connection between the first computing device and the target device, and where the connection between the first computing device and the target device is predicted to be malicious if the maliciousness score meets or exceeds a threshold value as set forth above.
Regarding claim 3, Application No. 17/932,008 in view of Kuperman teaches wherein the corrective action comprises at least one of: blocking or terminating the connection between the first computing device and the target device as set forth above.
Regarding claim 4, Application No. 17/932,008 teaches wherein the first handshake parameters and the second handshake parameters comprise connection parameters associated with Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) protocol, QUIC protocol, or Secure Shell (SSH) protocol (Claim 3, lines 1-3).
Regarding claim 6, Application No. 17/932,008 teaches wherein the evaluating non-numerical data comprises at least one of:
encoding non-numerical parameters as numerical values; or
generating a probability of maliciousness for any non-numerical parameters
by evaluating the non-numerical parameters using a natural language processing (NLP) model (Claim 5, lines 1-5).
Regarding claim 7, Application No. 17/932,008 teaches wherein the machine learning model is one of a neural network, a deep neural network, a Support Vector Machine (SVM), a nearest neighbor model, a Naive-Bayes model, a decision tree, or a linear regression model (Claim 8, lines 1-3).
Claims 8-10 are the system claims that correspond to the method claims 1-3 above, and are rejected over claim 9 of Application No. 17/932,008 in view of Kuperman for the reasons set forth above.
Claims 11, 13 and 14 correspond to claims 11, 13 and 16 of Application No. 17/932,008, and are rejected over claims 11, 13 and 16 of Application No. 17/932,008 in view of Kuperman for the reasons set forth above.
Claims 15-18 and 20 are the computer readable medium claims that correspond to the method claims 1-4 and 7 above, and are rejected over claim 17 of Application No. 17/932,008 in view of Kuperman for the reasons set forth above.
Regarding claims 21 and 22, Kuperman teaches further updating a list of handshake parameters associated with known malicious applications based on the maliciousness of the connection between the first computing device and the target device, wherein updating the list of handshake parameters includes adding a feature of the extracted features to the list and storing the maliciousness of the connection with the feature (See Figure 5 of Kuperman).
It would have been obvious to one of ordinary skill in the art to update the list of handshake parameters in claim 1 of Application No. 17/932,008 as taught by Kuperman. The rationale is as follows: One of ordinary skill in the art would have been motivated to update the list of handshake parameters as taught by Kuperman so that the model is up-to-date for detecting malicious behavior (Kuperman, column 11, lines 32-34)
Regarding claim 23, Application No. 17/932,008 further teaches transmitting the list to the first computing device (Claim 1, last line).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM R KORZUCH whose telephone number is (571)272-7589. The examiner can normally be reached Mon.-Fri. 8:00-4:00.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/WILLIAM R KORZUCH/Supervisory Patent Examiner, Art Unit 2491