INTRUSION PREVENTION BASED ON INFECTION CHAINS

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims The following claim(s) is/are pending in this office action: 1-21 The following claim(s) is/are amended: 1, 9, 17, 21 The following claim(s) is/are new: - The following claim(s) is/are cancelled: - Claim(s) 1-21 is/are rejected. Response to Arguments Applicant’s arguments filed in the amendment filed 10/24/2025, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below. Applicant’s Invention as Claimed Claim Rejections - 35 USC § 103 A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 7-11, 15-19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Melicher (US Pub. 2022/0116411) in view of Nguyen (US Pub. 2020/0314117) in view of Hu (US Pub. 2019/0052650) and further in view of Templeman (US Pat. 11,552,986). With respect to Claim 1, Melicher teaches a system, comprising: a processor configured to: (para. 18; processor) monitor network traffic at a security platform; (Fig. 1, para. 28; security platform. Paras. 20-21, 34, 38; data appliance includes firewall that monitors network traffic and network. To the extent that data appliance is not shown as part of security platform, it would have been obvious to one of ordinary skill prior to the effective filing date to substitution the location of the functionality for predictable results, see MPEP 2143, and further to provide a platform with monitoring functionality for multiple networks.) prefilter the monitored network traffic at the security platform to select a subset of the network traffic to perform further analysis (paras. 20-26; firewall performs filtering. para. 91; prefiltering suspicious looking but not confirmed to be malicious code to lower resource consumption.) using a plurality of signatures (paras. 30, 36, 41-42, 45-47, 67; use of signatures to identify what should be done with a packet or data.) based on a match with at least one signature of the plurality of signatures based on the infection chains, (Infection chains will be taught later. paras. 41-42, 45-47, 67; signature matching) and a memory coupled to the processor and configured to provide the processor with instructions. (para. 18; memory coupled to processor that provides instructions.) But Melicher does not explicitly teach infection chains. Nguyen, however, does teach based on infection chains; (para. 120; detection module can build and maintain a model representing chains of execution activities that together can identify malicious behavior. Paras. 127-130, 149-151, 159; system determines a chain of processes that lead to a security event.) and determine whether a plurality of sessions (para. 21; system determines if a session constitutes an attack based on data from multiple events over multiple sessions.) in the network traffic is associated with advanced persistent threat (APT) attack traffic activity (para. 3, 23; APT are targeted attacks that are used to gain access to a system.) third behavior, wherein the third behavior includes providing a persistent Dynamic Linked Library (DLL) download link, (paras. 2, 51, 133; malware may be formatted as DLL. See also Melicher, para. 60; hard link to malicious domain or para. 45; attempted download of malware from a website, which suggests a download link for downloading an executable.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of Melicher with the infection chain analysis in order to provide improved security by detecting processes associated with malicious code. But modified Melicher does not explicitly teach compromised websites. Hu, however, does teach wherein the at least one signature includes a first behavior, a second behavior, a third behavior, and a fourth behavior, wherein the first behavior includes downloading software from a compromised web site, (A third behavior was previously taught. paras. 41-44; APT solution agent recognizes and protects against threats. para. 43; user visits a malicious or compromised website. The website sends HTML content.) wherein the second behavior includes providing a download link for downloading software via a Content Distribution Network (CDN), (para. 43; browser renders HTML content which downloads malware. See also Melicher, para. 60; hard link to malicious domain or para. 45; attempted download of malware from a website, which suggests a download link for downloading an executable. Examiner takes official notice of CDNs, and it would have been obvious to one of ordinary skill prior to the effective filing date to analyze behavior for downloading software from a CDN because downloading software from a CDN rather than a website does not inherently make the software not contain malware.) and wherein the fourth behavior includes executing malware on a user’s device to perform data exfiltration, (para. 45; malware executes to exfiltrate data.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the signature for a compromised website in order to identify unauthorized exfiltration states and protect against actions that result in data exfiltration. (Hu, paras. 41-46) But modified Melicher does not explicitly teach logic connectors. Templeman, however, does teach wherein the first behavior, the second behavior, the third behavior, and the fourth behavior are connected by one or more logic connectors, wherein the one or more logic connectors includes one or more of the following: “&” (And), “|” (Or) and/or (“!”) (Not); (Examiner initially asserts that Nguyen, para. 49 teaches a Boolean data type, and a person of ordinary skill would immediately recognize that Boolean uses logic statements such as and/or/not. Consequently, Examiner asserts that Fig. 4a, col. 11, lns. 21-37; virtual feature made up of features that are logically connected, such as via And, Or and Not.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the logic connectors in order to allow for rules based upon a combination of statements. With respect to Claim 2, modified Melicher teaches the system of claim 1, and Melicher also teaches wherein the security platform includes a firewall. (Fig. 1, para. 28; security platform. Paras. 20-21, 34, 38; data appliance includes firewall that monitors network traffic and network.) With respect to Claim 3, modified Melicher teaches the system of claim 1, and Melicher also teaches wherein prefiltering improves performance for signature detection matching. (para. 91; prefiltering suspicious looking but not confirmed to be malicious code to lower resource consumption. Lowered resource consumption is improved performance.) With respect to Claim 7, modified Melicher teaches the system of claim 1, and Melicher also teaches wherein the processor is further configured to perform an action in response to detecting the APT attack traffic activity. (para. 21, 46, 48; actions such as blocking or preventing) With respect to Claim 8, modified Melicher teaches the system of claim 1, and Melicher also teaches wherein the processor is further configured to receive periodic updates of the plurality of signatures based on the infection chains. (para. 46; security platform provides signatures of known-malicious files. paras. 47, 80, 82; malware for which a system does not have a signature may not be prevented, which suggests updating the signatures to detect new malware.) With respect to Claim 9, it is substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying. With respect to Claims 10-11, 15-16, they are substantially similar to Claims 2-3, 7-8, respectively, and are rejected in the same manner, the same art and reasoning applying. With respect to Claim 17, it is substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying. Further, Melicher also teaches a computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: (paras. 18, 34, Claim 18; storage mediums including a non-transitory storage medium such as a hard disk.) With respect to Claims 18-19, they are substantially similar to Claims 2-3, 7-8, respectively, and are rejected in the same manner, the same art and reasoning applying. With respect to Claim 21, Melicher teaches a system, comprising: a processor configured to: (para. 18; processor) parse threat intelligence information to extract a set of behaviors associated with an advanced persistent threat (APT) attack; (A set of behaviors associated with APT will be taught later. para. 100; engine parses code.) extract the set of behaviors associated with the APT attack; (para. 100; engine extracts an element and models execution as if it was executed.) with prefilter (paras. 20-26; firewall performs filtering. para. 91; prefiltering suspicious looking but not confirmed to be malicious code to lower resource consumption.) and a memory coupled to the processor and configured to provide the processor with instructions. (para. 18; memory coupled to processor that provides instructions.) But Melicher does not explicitly teach infection chains. Nguyen, however, does teach a set of behaviors associated with an advanced persistent threat (APT) attack (para. 3, 23; APT are targeted attacks that are used to gain access to a system. para. 120; detection module can build and maintain a model representing chains of execution activities that together can identify malicious behavior. Paras. 127-130, 149-151, 159; system determines a chain of processes that lead to a security event.) third behavior, wherein the third behavior includes providing a persistent Dynamic Linked Library (DLL) download link, (paras. 2, 51, 133; malware may be formatted as DLL. See also Melicher, para. 60; hard link to malicious domain or para. 45; attempted download of malware from a website, which suggests a download link for downloading an executable.) and automatically generate a multi-session-based detection signature (First see Melicher, para. 48; generation of a signature for malware. Then see Nguyen, para. 21; system determines if a session constitutes an attack based on data from multiple events over multiple sessions.) and logic based on an infection chain; (First see Melicher, para. 21, 46, 48; actions such as blocking or preventing. Then see Nguyen, para. 120; detection module can build and maintain a model representing chains of execution activities that together can identify malicious behavior. Paras. 127-130, 149-151, 159; system determines a chain of processes that lead to a security event.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of Melicher with the infection chain analysis in order to provide improved security by detecting processes associated with malicious code. But modified Melicher does not explicitly teach compromised websites. Hu, however, does teach wherein the set of behaviors includes a first behavior, a second behavior, a third behavior, and a fourth behavior, wherein the first behavior includes downloading software from a compromised web site, (A third behavior was previously taught. paras. 41-44; APT solution agent recognizes and protects against threats. para. 43; user visits a malicious or compromised website. The website sends HTML content.) Wherein the second behavior includes providing a download link for downloading software via a Content Distribution Network (CDN), (para. 43; browser renders HTML content which downloads malware. See also Melicher, para. 60; hard link to malicious domain or para. 45; attempted download of malware from a website, which suggests a download link for downloading an executable. Examiner takes official notice of CDNs, and it would have been obvious to one of ordinary skill prior to the effective filing date to analyze behavior for downloading software from a CDN because downloading software from a CDN rather than a website does not inherently make the software not contain malware.) and wherein the fourth behavior includes executing malware on a user’s device to perform data exfiltration; (para. 45; malware executes to exfiltrate data.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the signature for a compromised website in order to identify unauthorized exfiltration states and protect against actions that result in data exfiltration. (Hu, paras. 41-46) But modified Melicher does not explicitly teach logic connectors. Templeman, however, does teach wherein the first behavior, the second behavior, the third behavior, and the fourth behavior are connected by one or more logic connectors, wherein the one or more logic connectors includes one or more of the following: “&” (And), “|” (Or) and/or (“!”) (Not); (Examiner initially asserts that Nguyen, para. 49 teaches a Boolean data type, and a person of ordinary skill would immediately recognize that Boolean uses logic statements such as and/or/not. Consequently, Examiner asserts that Fig. 4a, col. 11, lns. 21-37; virtual feature made up of features that are logically connected, such as via And, Or and Not.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the logic connectors in order to allow for rules based upon a combination of statements. Claims 4-6, 12-14, and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Melicher (US Pub. 2022/0116411) in view of Nguyen (US Pub. 2020/0314117), in view of Hu (US Pub. 2019/0052650), in view of Templeman (US Pat. 11,552,986) and further in view of Capalik (US Pub. 2013/0152199). With respect to Claim 4, modified Melicher teaches the system of claim 1, but does not explicitly teach an intrusion prevention system. Capalik, however, does teach wherein the at least one of the plurality of signatures based on the infection chains is an intrusion prevention system (IPS) signature. (paras. 6-7, 33; intrusion prevention system and signature for recognizing an attack.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the intrusion prevention system in order to prevent unauthorized access to data. With respect to Claim 5, modified Melicher teaches the system of claim 1, but does not explicitly teach an XML-based signature. Capalik, however, does teach wherein the at least one of the plurality of signatures based on the infection chains includes extensible markup language (XML) syntax. (Fig. 4, para. 36; XML formatted signature with Regex String equaling a value and Ports equaling a value.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the XML signature in order to describe malicious code in a standard manner to increase interoperability. With respect to Claim 6, modified Melicher teaches the system of claim 1, but does not explicitly teach an XML-based signature. Capalik, however, does teach wherein the at least one of the plurality of signatures based on the infection chains includes extensible markup language (XML) syntax with one or more logic connectors. (Fig. 4, para. 36; XML formatted signature with Regex String equaling a value and Ports equaling a value.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of modified Melicher with the XML signature in order to describe malicious code in a standard manner to increase interoperability. With respect to Claims 12-14, they are substantially similar to Claims 4-6, respectively, and are rejected in the same manner, the same art and reasoning applying. With respect to Claim 20, it is substantially similar to Claim 4 and is rejected in the same manner, the same art and reasoning applying. Remarks Applicant argues at Remarks, pgs. 6-7 that Capalik and none of the other references teach the logic connectors of “And/Or/Not.” Examiner disagrees inasmuch as Nguyen teaches Boolean data and Boolean data is known to be true/false statements with logic connectors such as and/or/not. Regardless, since Nguyen does not explicitly state that Boolean connectors include and/or/not, Examiner cites Templeman to explicitly show the connectors. The additional features of the amended claims are taught above. All claims remain rejected. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS P CELANI whose telephone number is (571)272-1205. The examiner can normally be reached on M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NICHOLAS P CELANI/Examiner, Art Unit 2449