SYSTEMS AND METHODS FOR AUTOMATED NEUTRALIZATION OF IDS DETECTED MALWARE THREATS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-3, 5-10, 12-17 and 19-26 are pending, claims 4, 11 and 18 have been canceled, claims 1, 2, 5, 6, 8, 9, 15 and 16 have been amended, and claims 21-26 have been newly added. In light of Applicant’s amendments claims 1-3 and 5-7 do not invoke 112(f), and the rejections of claims under 35 USC 112 (a) and (b) are withdrawn. Response to Arguments Applicant's amendments/arguments filed on 11-04-2025 have been fully considered. Applicant’s argument with respect to newly amended limitation of “send one or more malware response…using at least one offensive cybersecurity technique” is moot in view of a new ground of rejection. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., “… ‘malware response module’… is loaded and positioned in the communication path…after the malware threat has been detected by the first intrusion detection system (such as a commercial IDS)…”) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 5, 8,12, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (US Publication No.2018/0332060), hereinafter Johnson in view of Mcgrew et al. (US Patent/ Publication No. 2019/0230095), hereinafter Mcgrew, further in view of Huff et al. (US Patent No. 6,408,391), hereinafter Huff. As per claim 1, 8 and 15, Johnson discloses a malware neutralization system for a computer network comprising: a first intrusion detection system comprising a set of computer instruction executed by a computer processor that cause the first intrusion detection system to be in data communications with the computer network and arranged to: i) detect malware communications between a malware command and control (C2) server and a malware client on a first computer connected to the computer network (p [0025] “The intrusion prevention and detection system 160 may analyze the received network traffic in order to detect malicious activity, such as malware agent [malware client] communications with C2 servers”) and ii) send a first malware alert to a malware response server ; and the malware response server comprising a computer processor that executes a set of computer instructions that cause the malware response server to be in communications with the computer network and arranged to: i) receive the first malware alert sent by the first intrusion detection system through the computer network (p [0027], [0034] “Responsive to detecting malware activity, such as malware agent communications with C2 servers, the intrusion prevention and detection system 160 and/or the C2 server simulator 170 may notify the Security Information and Event Management (SIEM) server 180 and/or other entities ( e.g., the security incident response team)”), ii) determine [the type of malware threat] based on the first malware alert (p[0034], “The notification may include the network address and other identifying information of the detected malware agent and/ or the network address and other identifying information of the C2 server that was the intended recipient of the callback message originated by the malware agent”), iii) load an appropriate malware response module, (p[0030],“in response to analyzing one or more logs or alerts originated by the intrusion prevention and detection system 160 and/or the C2 server simulator 170, a configuration management component of the enterprise network may reconfigure one or more instances of the router 130 by creating routing rules”), iv) intercept one or more malware messages from the malware client that are directed to the malware C2 server (p[0030], “causing the router to discard subsequent network packets originated by the host on which the detected malware agent operates, network packets originated by any host on the enterprise network and addressed to the detected malware C2 server, and/or network packets originated by the detected malware C2 server”), v) send one or more malware response messages to the malware client to disrupt an operation of the malware client (p [0038], “forward, to the client computer system running a malware agent, one or more response packets comprising a command and control instruction issued to the client computer system”). Johnson does not explicitly disclose, but in an analogous art, Mcgrew disclose s type of the malware threat (p[0034], “The alert signal may specify the name, type, version, or any other known information about the suspected malicious application, as well as any known information about the flow, such as source and/or destination IP address, date, time, location, etc.”). It would have been obvious to one of ordinary skill in the art before effective filing date of the invention to combine Johnson with Mcgrew. This would have been obvious because one of ordinary skill in the art would have been motivated to identify the particular type of malware in order to provide protection against the same type of malware. While Johnson discloses, send one or more malware response messages to the malware client to disrupt an operation of the malware client, Johnson does not explicitly disclose, using at least one offensive cybersecurity technique. However, using at least one offensive cybersecurity technique is old and well known as illustrated by Huff (column 11, lines 23-45, “…an agent is dispatched to a computer on which a suspected or actual intruder resides. Once the gent is deployed at the intruder’s computer, an offensive agent can be used …to disable the intruder”). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention to modify the modified Johnson to include the well know feature of using offensive technique to countermeasure against an actual intruder. As per claim 5, 12 and 19, Johnson furthermore discloses, wherein the malware response module comprises computer instruction executed by the processor on the malware response server to compare the one or more malware messages from the malware client to a set of known malware messages in a malware database to determine the one or more malware response messages to be sent to the malware client (p[0025], “matching the network packets to known malware activity pattern”, and p[0028], “matching the request to known callback signature). Claims 2, 3, 9, 10, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of Mcgrew and Huff, further in view of Quinlan et al. (US Publication No. 2014/0283061), hereinafter Quinlan. As per claim 2, 9 and 16, Johnson furthermore discloses, wherein the malware response module comprises computer instructions executed by the processor on the malware response server to masquerade as the malware C2 server to the malware client (p [0033], simulator 170 respond to callback request transmitted by a malware agent, such that the malware agent would be led to believe that it has communicated to its C2 server”). Johnson as modified does not explicitly disclose, intercepting at the malware response module all communication between C2 server and the malware client. However, in an analogous art Quinlan discloses a security device intercepts the request from attacker device (malware client) to a server (C2 server) and sends a response to attacker device (p [0021]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Quinlan. This would have been obvious because one of ordinary skill in the art would have been motivated to protect server from attacking devices). As per claim 3, 10 and 17, Johnson furthermore discloses, wherein the malware response module masquerades as the C2 server to the malware client via the one or more malware response messages (p [0033], simulator 170 respond to callback request transmitted by a malware agent, such that the malware agent would be led to believe that it has communicated to its C2 server”). Claims 6, 7, 13, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson, in view of Mcgrew and Huff, further in view of Soliman (US Publication No. 2021/0084058), hereinafter Soliman. As per claim 6, 13 and 20, Johnson as modified disclose [a second] intrusion detection system comprising a second set of computer instructions executed by a computer processor that cause the [second] intrusion detection system to be in communications with the computer network and arranged to: i) detect malware communications between a malware C2 server and the malware client on the first computer connected to the computer network and ii) send a[second] malware alert to the malware response server (p [0027], [0034] “Responsive to detecting malware activity, such as malware agent communications with C2 servers, the intrusion prevention and detection system 160 and/or the C2 server simulator 170 may notify the Security Information and Event Management (SIEM) server 180 and/or other entities ( e.g., the security incident response team)”). Johnson as modified does not explicitly disclose, a second intrusion detection system; and send a second malware alert. However, including a second or multiple intrusion system and sending a second or multiple alert is old and well known in the art of computer security, as illustrated by Soliman (p[0013] , “the first intrusion detection system module for analyzing the mirrored and aggregated network traffic…and for transmitting a first IDS associated data and the second intrusion detection system module for analyzing the mirrored and aggregated network traffic… for transmitting a second IDS associated data”, and p[0015], “wherein the first and second IDS associated data each comprises alerts data and analytics data”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Solimon. This would have been obvious because one of ordinary skill in the art would have been motivated to enhance the system security and malware detection speed through use of multiple Intrusion Detection Systems for faster identification of malicious activities. As per claim 7 and 14, Johnson as modified discloses, wherein the malware response server is arranged to: i) receive the second malware alert (Soliman, p[0013] and [0015]), ii) determine the type of malware threat based on [the second] malware alert(Mcgrew, p[0034]), iii) load an appropriate malware response module, iv) intercept one or more malware [second] messages from the malware client that are directed to the malware C2 server, and v) send one or more [second] malware response messages to the malware client to disrupt an operation of the malware client (Johnson, p[0030] and [0038], as shown above with respect to claim 1). Johnson as modified teaches that ii, iii, iv and v steps are based on a first malware alert, a malware first message and a first malware response, not based on a second malware alert, malware second messages, and a second malware response. However, it is noted that the steps for determining the type of malware threat based on a second message, intercepting of malware second message and sending a second malware response are repetition of those used to determine…based on a first malware alert, intercept a malware first message and send a first malware response message. In other words, the modified Johnson could simply repeat and apply the same steps to determine the type of malware threat for multiple (i.e., a second, third, etc.) malware alerts, intercept of a malware second, third or any messages, and sending second, third, or any malware response messages. It is noted that repetition of the same steps does not include an inventive step since it involves only routing skills in the art, and it would have been obvious to one of ordinary skill in the art, providing protection benefit against multiple malware categories. Claims 21 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of Mcgrew and Huff, further in view of Rao et al. (US Publication No. 2006/0037072), hereinafter Rao. As per claim 21 and 24, Johnson as modified does not explicitly disclose, but in an analogous art, Rao discloses the at least one offensive cybersecurity technique comprises renegotiating a cryptographic key for security communications, obtaining a new cryptographic key and using the new key to disrupt communications between the malware client on the first computer and the malware command and control (C2) server (paragraph [0147], “to ensure that malicious computing devices do not take advantage of this open hole, the gateway 340 at step 276 negotiates a secret key between the two computing devices 102a and 102b and the respective remote access clients 120 ensure that the keys match before allowing data communication”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Rao. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of protecting computer devices from malicious activities. Claims 22 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of Mcgrew and Huff, further in view of Jakobsson et al. (US Patent No. 11,757,914), hereinafter Jakobsson. As per claim 22 and 25, Johnson as modified does not explicitly disclose the at least one offensive cybersecurity technique comprises transmitting multiple false agent registrations to the malware command and control (C2) server when it is determined to contain malware. However, in an analogous art, Jakobsson discloses, generating fake data item in form of honey-token (column 49, lines 57-60) and polluting /contaminating data transmitted to attacker system when attack detected (column 50 lines 5-24, column 51, lines 8-11). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Jakobsson. This would have been obvious because one of ordinary skill in the art would have been motivated to contaminate the attacker system in order to burn attacker resources to fake data and distracting from valuable data. Although Jakobsson instead of transmitting false agent registration is transmitting fake data (i.e., fake account number, email address), transmitting false agent registration (as claimed) instead of other forms of false/fake data (as discloses by Jakobsson) does not include an inventive step. Substituting fake data with false agent registration is directed to a simple substitution of known elements. One of ordinary skill in the art recognizes that Jakobsson could apply the same process for transmitting fake data to transmit multiple false agent registration without exercising an inventive technique. Claims 23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of Mcgrew and Huff, further in view of Yakovlev et al. (US Patent No. 11,729,215), hereinafter Yakovlev. As per claim 23 and 26, Johnson as modified does not explicitly disclose the at least one offensive cybersecurity technique comprises automatically sending transmission control protocol (TCP) resets to the malware client on the first computer and the malware command and control (C2) server. However, in an analogous art, Yakovlev discloses, the at least one offensive cybersecurity technique comprises automatically sending transmission control protocol (TCP) resets to the malware client on the first computer and the malware command and control (C2) server (column 5, lines 63-67, “in the event that it is determined to block the TCP connection: sending a TCP reset (RST) message to each of the 65 first and second devices in order to close the TCP connection”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Yakovlev. This would have been obvious because one of ordinary skill in the art would have been motivated to reset TCP when determined to block TCP connection, in order to prevent exfiltration of sensitive data or receipt of malicious data by a device within the network. References Cited, Not Used The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Rego et al. (US Pub 2020/0014711) discloses, a device includes a communication interface and a processor. The communication interface is configured to receive a network threat report. The processor is configured to extract an indicator from the network threat report. The processor is also configured to determine, based on the indicator, a confidence score indicating a likelihood that the indicator is associated with malicious activity. The processor is further configured to determine, based on the indicator, an impact score indicating a potential severity of the malicious activity. The processor is further configured to identify, based on the indicator, the confidence score, and the impact score, an action to be performed. The action includes blocking network traffic corresponding to the indicator or monitoring network traffic corresponding to the indicator. The processor is also configured to initiate performance of the action. Gauvin (US Patent 9,185,132) discloses, techniques for sensor based attack reflection. In one particular exemplary embodiment, the techniques may be realized as a method for sensor based attack reflection comprising detecting an attack at a sensor, identifying a portion of memory associated with the attack, redirecting at least the identified portion of memory to a secure network using an access point, extracting data associated with the attack on the secure network, redirecting a response to the attack from the secure network to the sensor, transmitting the response from the sensor to a network location associated with the attack, receiving a subsequent attack communication based on the response at the access point, redirecting the subsequent attack communication to the secure network, and analyzing the subsequent attack communication. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). /ALI S ABYANEH/Primary Examiner, Art Unit 2437