DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-3, 5-10, 12-17 and 19-26 are pending. Claims 1, 8 and 15 have been amended.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 8 and 15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation of “…positioning an appropriate response module…”. The term “positioning” is unclear as it does not specify for example whether it refers to physical placement or logical insertion within the communication path. As such, a person of ordinary skill in the art would not be able to determine with reasonable certainty the scope of “positioning” in the context of malware threat detection.
The term “appropriate” is a relative term which renders the claim indefinite. The term “appropriate” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree. The term could be interpreted differently, as it is unclear what conditions determines whether a response module is appropriate, leaving the positioning of malware response module open to multiple interpretation. Accordingly, one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Independent claims 8 and 15 include limitation similar to the limitation of claim 1 and are rejected under 35 USC 112(b) as being indefinite for the same reason.
Dependent claims 2, 3, 5-7, 9, 10, 12-17 and 19 -26 are rejected as being indefinite based on their dependency on the independent claims.
Response to Arguments
Applicant's amendments/arguments filed on 04-07-2026 have been fully considered, and are moot in view of a new ground of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 5, 8,12, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (US Publication No.2018/0332060), hereinafter Johnson, in view of DiCato et al. (US Patent No. 9,443,075), hereinafter DiCato, in view of Mcgrew et al. (US Patent/ Publication No. 2019/0230095), hereinafter Mcgrew, further in view of Huff et al. (US Patent No. 6,408,391), hereinafter Huff.
As per claim 1, 8 and 15, Johnson discloses a malware neutralization system for a computer network comprising: a first intrusion detection system comprising a set of computer instruction executed by a computer processor that cause the first intrusion detection system to be in data communications with the computer network and arranged to: i) detect malware communications between a malware command and control (C2) server and a malware client on a first computer connected to the computer network (p [0025] “The intrusion prevention and detection system 160 may analyze the received network traffic in order to detect malicious activity, such as malware agent [malware client] communications with C2 servers”) and ii) send a first malware alert to a malware response server ; and the malware response server comprising a computer processor that executes a set of computer instructions that cause the malware response server to be in communications with the computer network and arranged to: i) receive the first malware alert sent by the first intrusion detection system through the computer network (p[0027], [0034] “Responsive to detecting malware activity, such as malware agent communications with C2 servers, the intrusion prevention and detection system 160 and/or the C2 server simulator 170 may notify the Security Information and Event Management (SIEM) server 180 and/or other entities ( e.g., the security incident response team)”), ii) determine [the type of malware threat] based on the first malware alert (p[0034], “The notification may include the network address and other identifying information of the detected malware agent and/ or the network address and other identifying information of the C2 server that was the intended recipient of the callback message originated by the malware agent”), iii) load an appropriate malware response module upon detecting malware threat and receiving the first malware threat, (p[0030],“in response to analyzing one or more logs or alerts originated by the intrusion prevention and detection system 160 and/or the C2 server simulator 170, a configuration management component of the enterprise network may reconfigure one or more instances of the router 130 by creating routing rules”), iv) intercept by malware response module one or more malware messages from the malware client that are directed to the malware C2 server (p[0030], “causing the router to discard subsequent network packets originated by the host on which the detected malware agent operates, network packets originated by any host on the enterprise network and addressed to the detected malware C2 server, and/or network packets originated by the detected malware C2 server”), v) send one or more malware response messages to the malware client to disrupt an operation of the malware client (p [0038], “forward, to the client computer system running a malware agent, one or more response packets comprising a command and control instruction issued to the client computer system”).
Johnson does not explicitly disclose, type of malware threat; load and positioning an appropriate malware response module in communication path between the malware client on the first computer and the malware C2 server upon detecting the malware threat by the first intrusion detection system and receiving the first malware alert by the malware response server; and using at least one offensive cybersecurity technique.
However, in an analogous art, DiCato discloses, load and positioning an appropriate malware response module in communication path between the malware client on the first computer and the malware C2 server upon detecting the malware threat by the first intrusion detection system (column 7, line 54-column 8, line 2, “ At step 308, a plurality of response mechanisms is enforced based in part on the analysis and a policy language tailored for the command and control channel operated by the adversary. For example, step 310 may be performed by malware proxy 135 of malware control system 100. Once control over the command and control channel of the adversary is established by the network defender, a number of responses can be used to deal with the adversary”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Johnson with DiCato. This would have been obvious because one of ordinary skill in the art would have been motivated to detect and adapt to malware activity on a compromised computer system.
DiCato does not explicitly disclose load and positioning an appropriate malware response module is upon receiving the first malware alert. However, as discussed previously, Johnson discloses loading an appropriate malware response module upon receiving the first malware alert. Additionally, it is well known in the art that malware detection systems, such as intrusion detection systems, generate alerts upon detecting malicious activity, and that such alerts initiate responsive security actions to address malicious activity. Accordingly, it would have been obvious to one of ordinary skill in the art to modify the system of DiCato to load and position an appropriate malware response modules in communication path upon receiving the malware alert, thereby improving system effectiveness in detecting malicious activities.
Johnson in view of DiCato does not explicitly disclose, type of malware threat; and using at least one offensive cybersecurity technique. However, in an analogous art, Mcgrew discloses type of the malware threat (p[0034], “The alert signal may specify the name, type, version, or any other known information about the suspected malicious application, as well as any known information about the flow, such as source and/or destination IP address, date, time, location, etc.”).
It would have been obvious to one of ordinary skill in the art before effective filing date of the invention to combine Johnson and DiCato with Mcgrew. This would have been obvious because one of ordinary skill in the art would have been motivated to identify the particular type of malware in order to provide protection against the same type of malware.
While Johnson discloses, send one or more malware response messages to the malware client to disrupt an operation of the malware client, Johnson in view of DiCato and Mcgrew does not explicitly disclose, using at least one offensive cybersecurity technique. However, using at least one offensive cybersecurity technique is old and well known as illustrated by Huff (column 11, lines 23-45, “…an agent is dispatched to a computer on which a suspected or actual intruder resides. Once the gent is deployed at the intruder’s computer, an offensive agent can be used …to disable the intruder”).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention to modify the modified Johnson to include the well know feature of using offensive technique to countermeasure against an actual intruder.
As per claim 5, 12 and 19, Johnson furthermore discloses, wherein the malware response module comprises computer instruction executed by the processor on the malware response server to compare the one or more malware messages from the malware client to a set of known malware messages in a malware database to determine the one or more malware response messages to be sent to the malware client (p[0025], “matching the network packets to known malware activity pattern”, and p[0028], “matching the request to known callback signature).
Claims 2, 3, 9, 10, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of DiCato, Mcgrew and Huff, further in view of Quinlan et al. (US Publication No. 2014/0283061), hereinafter Quinlan.
As per claim 2, 9 and 16, Johnson furthermore discloses, wherein the malware response module comprises computer instructions executed by the processor on the malware response server to masquerade as the malware C2 server to the malware client (p [0033], simulator 170 respond to callback request transmitted by a malware agent, such that the malware agent would be led to believe that it has communicated to its C2 server”).
Johnson as modified does not explicitly disclose, intercepting at the malware response module all communication between C2 server and the malware client. However, in an analogous art Quinlan discloses a security device intercepts the request from attacker device (malware client) to a server (C2 server) and sends a response to attacker device (p [0021]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Quinlan. This would have been obvious because one of ordinary skill in the art would have been motivated to protect server from attacking devices).
As per claim 3, 10 and 17, Johnson furthermore discloses, wherein the malware response module masquerades as the C2 server to the malware client via the one or more malware response messages (p [0033], simulator 170 respond to callback request transmitted by a malware agent, such that the malware agent would be led to believe that it has communicated to its C2 server”).
Claims 6, 7, 13, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson, in view of DiCato, Mcgrew and Huff, further in view of Soliman (US Publication No. 2021/0084058), hereinafter Soliman.
As per claim 6, 13 and 20, Johnson as modified disclose [a second] intrusion detection system comprising a second set of computer instructions executed by a computer processor that cause the [second] intrusion detection system to be in communications with the computer network and arranged to: i) detect malware communications between a malware C2 server and the malware client on the first computer connected to the computer network and ii) send a[second] malware alert to the malware response server (p [0027], [0034] “Responsive to detecting malware activity, such as malware agent communications with C2 servers, the intrusion prevention and detection system 160 and/or the C2 server simulator 170 may notify the Security Information and Event Management (SIEM) server 180 and/or other entities ( e.g., the security incident response team)”). Johnson as modified does not explicitly disclose, a second intrusion detection system; and send a second malware alert. However, including a second or multiple intrusion system and sending a second or multiple alert is old and well known in the art of computer security, as illustrated by Soliman (p[0013] , “the first intrusion detection system module for analyzing the mirrored and aggregated network traffic…and for transmitting a first IDS associated data and the second intrusion detection system module for analyzing the mirrored and aggregated network traffic… for transmitting a second IDS associated data”, and p[0015], “wherein the first and second IDS associated data each comprises alerts data and analytics data”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Solimon. This would have been obvious because one of ordinary skill in the art would have been motivated to enhance the system security and malware detection speed through use of multiple Intrusion Detection Systems for faster identification of malicious activities.
As per claim 7 and 14, Johnson as modified discloses, wherein the malware response server is arranged to: i) receive the second malware alert (Soliman, p[0013] and [0015]), ii) determine the type of malware threat based on [the second] malware alert(Mcgrew, p[0034]), iii) load an appropriate malware response module, iv) intercept one or more malware [second] messages from the malware client that are directed to the malware C2 server, and v) send one or more [second] malware response messages to the malware client to disrupt an operation of the malware client (Johnson, p[0030] and [0038], as shown above with respect to claim 1).
Johnson as modified teaches that ii, iii, iv and v steps are based on a first malware alert, a malware first message and a first malware response, not based on a second malware alert, malware second messages, and a second malware response. However, it is noted that the steps for determining the type of malware threat based on a second message, intercepting of malware second message and sending a second malware response are repetition of those used to determine…based on a first malware alert, intercept a malware first message and send a first malware response message. In other words, the modified Johnson could simply repeat and apply the same steps to determine the type of malware threat for multiple (i.e., a second, third, etc.) malware alerts, intercept of a malware second, third or any messages, and sending second, third, or any malware response messages. It is noted that repetition of the same steps does not include an inventive step since it involves only routing skills in the art, and it would have been obvious to one of ordinary skill in the art, providing protection benefit against multiple malware categories.
Claims 21 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of DiCato, Mcgrew and Huff, further in view of Rao et al. (US Publication No. 2006/0037072), hereinafter Rao.
As per claim 21 and 24, Johnson as modified does not explicitly disclose, but in an analogous art, Rao discloses the at least one offensive cybersecurity technique comprises renegotiating a cryptographic key for security communications, obtaining a new cryptographic key and using the new key to disrupt communications between the malware client on the first computer and the malware command and control (C2) server (paragraph [0147], “to ensure that malicious computing devices do not take advantage of this open hole, the gateway 340 at step 276 negotiates a secret key between the two computing devices 102a and 102b and the respective remote access clients 120 ensure that the keys match before allowing data communication”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Rao. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of protecting computer devices from malicious activities.
Claims 22 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of DiCato, Mcgrew and Huff, further in view of Jakobsson et al. (US Patent No. 11,757,914), hereinafter Jakobsson.
As per claim 22 and 25, Johnson as modified does not explicitly disclose the at least one offensive cybersecurity technique comprises transmitting multiple false agent registrations to the malware command and control (C2) server when it is determined to contain malware. However, in an analogous art, Jakobsson discloses, generating fake data item in form of honey-token (column 49, lines 57-60) and polluting /contaminating data transmitted to attacker system when attack detected (column 50 lines 5-24, column 51, lines 8-11). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Jakobsson. This would have been obvious because one of ordinary skill in the art would have been motivated to contaminate the attacker system in order to burn attacker resources to fake data and distracting from valuable data.
Although Jakobsson instead of transmitting false agent registration is transmitting fake data (i.e., fake account number, email address), transmitting false agent registration (as claimed) instead of other forms of false/fake data (as discloses by Jakobsson) does not include an inventive step. Substituting fake data with false agent registration is directed to a simple substitution of known elements. One of ordinary skill in the art recognizes that Jakobsson could apply the same process for transmitting fake data to transmit multiple false agent registration without exercising an inventive technique.
Claims 23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson in view of DiCato, Mcgrew and Huff, further in view of Yakovlev et al. (US Patent No. 11,729,215), hereinafter Yakovlev.
As per claim 23 and 26, Johnson as modified does not explicitly disclose the at least one offensive cybersecurity technique comprises automatically sending transmission control protocol (TCP) resets to the malware client on the first computer and the malware command and control (C2) server. However, in an analogous art, Yakovlev discloses, the at least one offensive cybersecurity technique comprises automatically sending transmission control protocol (TCP) resets to the malware client on the first computer and the malware command and control (C2) server (column 5, lines 63-67, “in the event that it is determined to block the TCP connection: sending a TCP reset (RST) message to each of the 65
first and second devices in order to close the TCP connection”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Johnson with Yakovlev. This would have been obvious because one of ordinary skill in the art would have been motivated to reset TCP when determined to block TCP connection, in order to prevent exfiltration of sensitive data or receipt of malicious data by a device
within the network.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ben-Itzhak (US Publication No. 2003/0204719) discloses, an application layer security method and system to secure trusted computer applications from executing out of their intended and authorized scope caused by illegal or harmful operation requests received from a distrusted environment. In an embodiment of the invention, a protective layer is implemented in between a trusted application and distrusted application operation requests. In operation, the protective layer identifies an application path of each operation request. Depending on the application path identified, one or more security pipes scrutinize the application contents of the operation request to determine if the operation request is illegal or harmful to the application or a surrounding environment
Rego et al. (US Pub 2020/0014711) discloses, a device includes a communication interface and a processor. The communication interface is configured to receive a network threat report. The processor is configured to extract an indicator from the network threat report. The processor is also configured to determine, based on the indicator, a confidence score indicating a likelihood that the indicator is associated with malicious activity. The processor is further configured to determine, based on the indicator, an impact score indicating a potential severity of the malicious activity. The processor is further configured to identify, based on the indicator, the confidence score, and the impact score, an action to be performed. The action includes blocking network traffic corresponding to the indicator or monitoring network traffic corresponding to the indicator. The processor is also configured to initiate performance of the action.
Gauvin (US Patent 9,185,132) discloses, techniques for sensor based attack reflection. In one particular exemplary embodiment, the techniques may be realized as a method for sensor based attack reflection comprising detecting an attack at a sensor, identifying a portion of memory associated with the attack, redirecting at least the identified portion of memory to a secure network using an access point, extracting data associated with the attack on the secure network, redirecting a response to the attack from the secure network to the sensor, transmitting the response from the sensor to a network location associated with the attack, receiving a subsequent attack communication based on the response at the access point, redirecting the subsequent attack communication to the secure network, and analyzing the subsequent attack communication.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI ABYANEH whose telephone number is (571)272-7961. The examiner can normally be reached Monday - Friday from 8:00 am-5:00pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571)270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ALI S ABYANEH/Primary Examiner, Art Unit 2437