ADVANCED THREAT PREVENTION

§103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/05/2026 has been entered. Claims 1, 14, and 15 have been amended Claim 3 has been cancelled Claims 1, 2, 4-15 are pending Response to Arguments Applicant’s arguments filed on 02/05/2026 have been fully considered. With respect to USC 103 rejection for independent claims 1, 14, and 15. Applicant has argued that DENG-ASKEW-TROTTER fail to teach the newly amended claims. Examiner is no longer relying on ASKEW-TROTTER to teach the limitations of claims 1, 14, and 15. Examiner is now rejecting claims 1, 14, and 15 using DENG (US-20220070223-A1) in view of HEWLETT (US-20210021611-A1), and further in view of LOMAN (US-20240211597-A1). Additional arguments are moot in view of new grounds of rejection necessitated by the claim amendments. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation is: “a remote service for further evaluation” in claims 1 and 15 “… remote service is configured to” in claim 8. Because this claim limitation(s) is being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. See specification para. 0027, 0028 for hardware support for remote service See specification para. 0095, 0099, and 0100 for functional support for remote service If applicant does not intend to have this limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 14, and 15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 2 of U.S. Patent No. US 12294609 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. Current application no. 18/229,062 U.S. Patent No. US 12294609 B2 1.) A system, comprising: a processor configured to: parse monitored network traffic associated with a session and determine, using a prefilter, that a suspicious portion of the monitored network traffic should be forwarded to a remote service for further evaluation of whether potential Cobalt Strike activity is occurring, wherein the determination is made based at least in part on determining that:(1) a response payload starts with a magic byte matching a list of file types implicated in Cobalt Strike activity; (2) a content length in a response header is within a prespecified range implicated by Cobalt Strike activity; and (3) a pattern associated with Cobalt Strike activity is matched within a first portion of a response body;[[;]] and receive, from the remote service, a verdict indicating that the session is associated with malicious Cobalt Strike activity, and take a remedial action in response; and a memory coupled to the processor and configured to provide the processor with instructions. 1. A system, comprising: a processor configured to: monitor HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefilter the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service, comprising to: determine whether the HTTP, HTTPS, and/or DNS network traffic includes a header value or a uniform resource identifier (URI) length check that falls within a predetermined range of header lengths; and in response to a determination that the HTTP, HTTPS, and/or DNS network traffic includes the header value or the URI length check that falls within the predetermined range of header lengths: determine whether the HTTP, HTTPS, and/or DNS network traffic is encoded in one of the following encoding techniques: base64, base64url, netbios, netbiosu, or mask; and in response to a determination that the HTTP, HTTPS, and/or DNS network traffic is encoded in one of the following encoding techniques: base64, base64url, netbios, netbiosu, or mask, prefilter the HTTP, HTTPS, and/or DNS network traffic; perform HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a server that generates malware traffic; and perform an action in response to detecting that the target is the server; and a memory coupled to the processor and configured to provide the processor with instructions. 2.) The system of claim 1, wherein the detecting of the server validates a malware verdict for Cobalt Strike Beacon HTTP, HTTPS, and/or DNS C2 traffic activity. Claims 14 and 15 are similar claims to claim 1. Therefore, claims 14 and 15 are rejected in a similar manner. Claims 1, 14, and 15 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of copending Application No. 19/353,404 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. Current application no. 18/229,062 copending Application No. 19/353,404 1.) A system, comprising: a processor configured to: parse monitored network traffic associated with a session and determine, using a prefilter, that a suspicious portion of the monitored network traffic should be forwarded to a remote service for further evaluation of whether potential Cobalt Strike activity is occurring, wherein the determination is made based at least in part on determining that:(1) a response payload starts with a magic byte matching a list of file types implicated in Cobalt Strike activity; (2) a content length in a response header is within a prespecified range implicated by Cobalt Strike activity; and (3) a pattern associated with Cobalt Strike activity is matched within a first portion of a response body;[[;]] and receive, from the remote service, a verdict indicating that the session is associated with malicious Cobalt Strike activity, and take a remedial action in response; and a memory coupled to the processor and configured to provide the processor with instructions. 1.) A system, comprising: a processor configured to: monitor HyperText Transfer Protocol Secure (HTTPS) network traffic at a firewall; prefilter the monitored HTTPS network traffic at the firewall to select a subset of the HTTPS network traffic to forward to a cloud security service; determine whether the subset of the HTTPS network traffic is associated with Cobalt Strike Beacon HTTPS C2 traffic activity based on a plurality of heuristics, wherein data statistics based on an automated heuristic analysis of the subset of the HTTPS network traffic is stored in a data statistics table of a detection system; and perform an action in response to detecting the Cobalt Strike Beacon HTTPS C2 traffic activity; and a memory coupled to the processor and configured to provide the processor with instructions. Claims 14 and 15 are similar claims to claim 1. Therefore, claims 14 and 15 are rejected in a similar manner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 4, 7, 8, 10, and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over DENG (US-20220070223-A1) in view of HEWLETT (US-20210021611-A1), and further in view of LOMAN (US-20240211597-A1), hereinafter DENG-HEWLETT-LOMAN. Regarding claim 1, DENG teaches “A system, comprising: a processor configured to: parse monitored network traffic associated with a session and determine, using a prefilter, that a suspicious portion of the monitored network traffic should be forwarded to a remote service … ([DENG, para. 0034] “a system/method/computer program product for a security platform with external inline processing of assembled selected traffic includes monitoring network traffic of a session at a security platform; selecting a subset of the monitored network traffic associated with the session to send to a cloud-based security service for analysis based on a security policy, wherein the selected subset of the monitored network traffic is proxied to the cloud-based security service”) ([DENG, para. 0092] “the disclosed architecture for a security platform with external inline processing of assembled selected traffic … The selective L7 proxy for suspicious sections of the monitored network traffic provides for enhanced security.”) ([DENG, para. 0038] “the security platform can selectively forward part of the traffic associated with a session to another processing unit (e.g., an external processing unit).”) ([DENG, para. 0071] “a policy configuration, action related 210 d (e.g., security rules/policies, which can be configured to handle different types of content/files (file type) using EIPAT 210 and/or security services 222 (such as a policy on which file types to send to which cloud-based security services”) receive, from the remote service, a verdict indicating that the session is malicious … , and take a remedial action in response; and ([DENG, para. 0034] “receiving, from the cloud-based security service, results of the analysis based on the security policy, and perform a responsive action based on the results of the analysis based on the security policy.”) ([DENG, para. 0065] “In the event an application is determined to be malicious, data appliances can be configured to automatically block the file download based on the analysis result. Further, a signature can be generated for the malware and distributed (e.g., to data appliances such as security platform 202) to automatically block future file transfer requests to download the file determined to be malicious.”) a memory coupled to the processor and configured to provide the processor with instructions. ([DENG, para. 0013] “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.”). However, DENG fails to teach “for further evaluation of whether potential Cobalt Strike activity is occurring, wherein the determination is made based at least in part on determining that:(1) a response payload starts with a magic byte matching a list of file types implicated in Cobalt Strike activity; (2) a content length in a response header is within a prespecified range implicated by Cobalt Strike activity; and (3) a pattern associated with Cobalt Strike activity is matched within a first portion of a response body; … a verdict indicating that the session is associated with malicious Cobalt Strike activity”. In analogous teaching HEWLETT teaches “for further evaluation of whether potential … activity is occurring, wherein the determination is made based at least in part on determining that:(1) a response payload starts with a magic byte matching a list of file types implicated in … activity; ([HEWLETT, para. 0038] “The compromised client device can then be instructed to perform tasks (e.g., cryptocurrency mining, or participating in denial of service attacks) and to report information to an external entity, such as command and control (C&C) server 150, as well as to receive instructions from C&C server 150, as applicable.”) ([HEWLETT, para. 0082] “Process 600 begins at 602 when an indication is received by appliance 102 that a file is being transmitted as part of a session. As one example of the processing performed at 602, for a given session, an associated protocol decoder can call or otherwise make use of an appropriate file-specific decoder when the start of a file is detected by the protocol decoder. As explained above, the filetype is determined (e.g., by decoder 402) and associated with the session”) ([HEWLETT, para. 0072] “a given filetype is specified within the file's header (e.g., as a magic number appearing in the first seven bytes of the file itself). In such a scenario, threat engine 244 can select an appropriate model corresponding to the specified file type … As one example, JavaScript would have a filetype of “textfile.” To identify filetypes such as JavaScript, decoder 402 can be used to perform deterministic finite state automaton (DFA) pattern matching and apply heuristics (e.g., identifying <script> and other indicators that the file is JavaScript). The determined filetype and/or selected classification model are saved in the session state.”) ([HEWLETT, para. 0085] “In various embodiments, appliance 102 is configured to share its verdicts (whether benign verdicts, malicious verdicts, or both) with security platform 122. When security platform 122 completes its independent analysis of the file, it can use the verdict reported by appliance 102 for a variety of purposes, including assessing the performance of the model that formed the verdict.”) ([HEWLETT, para. 0041] “A variety of actions can be taken by data appliance 102 if no signature for an attachment is found, in various embodiments.”) ([HEWLETT, para. 0042] “As a third example, data appliance 102 can be configured to provide the file (e.g., malware 130) to security platform 122 for static/dynamic analysis, to determine whether it is malicious and/or to otherwise classify it.”) (2) a content length in a response header is within a prespecified range implicated by … activity; and ([HEWLETT, para. 0066] “in various embodiments, decoder 402 can use other information (e.g., file size as reported in a header) to determine when feature extraction of a file should end (e.g., the overlay section begins) and execution using an appropriate model should be commenced.”) ([HEWLETT, para. 0078] “classification model can be built using both n-gram (e.g., 8-gram) and non n-gram features. One example of a non n-gram feature is the purported size of the file (which can be read as a value out of a packet containing the file's header). Any file data appearing after the purported end of the file (e.g., as based on the file size specified in the header) is referred to as an overlay. In addition to serving as a feature, the purported file length can be used as a proxy for how long the file is expected to be.”) (3) a pattern associated with … activity is matched within a first portion of a response body ([HEWLETT, para. 0069] “As session packets corresponding to a file are received by threat engine 244, threat pattern matcher 408 parses the packets for matches against strings in a table (e.g., by performing regular expression and/or exact string matches). A list of matches (e.g., with each instance of a match identified by a corresponding pattern ID) and at what offset each match occurred is generated. Actions on those matches are taken in the order of the offset (e.g., from lower to higher). For a given match (i.e., corresponding to a particular pattern ID), a set of one or more actions to take is specified (e.g., via an action table that maps actions to pattern IDs).”) ([HEWLETT, para. 0083] “it can also determine whether any 8-grams in the packet match 8-grams provided by security platform 122. During the processing performed at 604, when an n-gram match is found, the corresponding pattern ID is used to map the condition to an action based on filetype. The action either increments a weighted counter”). Thus, given the teaching of HEWLETT, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of evaluation of potential malicious activity by HEWLETT into the teaching of a system to parse suspicious session traffic by DENG. One of ordinary skill in the art would have been motivated to do so because HEWLETT recognizes the need to mitigate malware ([HEWLETT, para. 0001] “Accordingly, there is an ongoing need for improvements to techniques for identifying and mitigating malware.”) ([HEWLETT, para. 0060] “perform is inline malware detection. In particular, and as will be described in more detail below, as a file (such as sample 130) passes through data appliance 102, machine learning techniques can be applied to perform efficient analysis of the file on data appliance”) However, DENG-HEWLETT fail to teach of “Cobalt Strike activity … verdict indicating that the session is associated with malicious Cobalt Strike activity”. In analogous teaching LOMAN teaches “Cobalt Strike activity” ([LOMAN, para. 0021] “For example, malware can initiate a malicious process that is a beacon that upon activation is configured to initiate a communication with an external entity such as, for example, a command-and-control center (C2 center) via a command-and-control channel (e.g., C2 channel). … examples of beacon include Cobalt Strike Beacon”) ([LOMAN, para. 0062] “Based on the information, the memory scan controller 214 can identify malware or code associated with a malicious process in a memory at a compute device (e.g., identify code to be a malware beacon like Cobalt Strike beacon in the example in FIG. 6, signaling to make a communication channel with a control command center), determine a type or class of malware, and/or determine a risk associated with the malware.”) ([LOMAN, para. 0086] “The process 600 includes intercepting a function call to a shared library to identify a source location associated with the function call. The example of FIG. 6 includes identifying a potentially malicious process, a Cobalt Strike beacon 673, associated with the function call.”) ([LOMAN, para. 0017] “Malware can be implemented, distributed, and/or stored via artifacts including computer files (“computer file(s)” or “file(s)”) such as text or document files (collectively, “document file(s)”) of various filetypes. Such files can be distributed or communicated via network (e.g., Internet) communications. For example, document files can include embedded, executable scripts or macros that, in some cases, can be configured to cause malicious activity” … verdict indicating that the session is associated with malicious Cobalt Strike activity” ([LOMAN, para. 0079] “At 475, the method 400 includes identifying, based on the scanning, a potentially malicious process within the range of memory addresses. In some implementations, the method 400 can further include identifying, characterizing, and/or classifying the potentially malicious process using any suitable technique (e.g., signature analysis, comparing to a black list or template of malware, using a maliciousness classifier, using machine learning models to characterize or classify potentially malicious artifacts, etc.). In some implementations, the method 400 can include performing or recommending one or more remedial measure based on the identifying”) ([LOMAN, para. 0086] “The example of FIG. 6 includes identifying a potentially malicious process, a Cobalt Strike beacon 673, associated with the function call.”) ([LOMAN, para. 0091] “the MD system can identify the malware as CS beacon 673 via instructions in the second program 679, and based on the identification instruct the processor (e.g., processor 210 of MD analysis device 201 and/or processor 310 of compute device 302) to perform an action 676 to block transfer of execution back to the first program 680 as initiated by the function call 681.”) Thus, given the teaching of LOMAN, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of cobalt strike attack by LOMAN into the teaching of a system to parse suspicious session traffic by DENG-HEWLETT. One of ordinary skill in the art would have been motivated to do so because LOMAN recognizes the need to efficiently detect malicious attacks ([LOMAN, para. 0003] “a need exists for reliable methods and apparatus to identify, detect, and/or locate such difficult to detect malicious artifacts so that suitable preventative and/or remedial measures may be taken to protect hardware, data, information and/or the like.”). Regarding claim 2, DENG-HEWLETT-LOMAN teaches all limitations of claim 1. DENG further teaches “wherein parsing the monitored network traffic includes performing a single session detection.” ([DENG, para. 0052] “Whenever flow module 338 identifies packets as being part of a new session, it creates a new session flow. Subsequent packets will be identified as belonging to the session based on a flow lookup”) ([DENG, para. 0034] “a security platform with external inline processing of assembled selected traffic includes monitoring network traffic of a session at a security platform”). Regarding claim 4, DENG-HEWLETT-LOMAN teaches all limitations of claim 1. DENG further teaches “wherein parsing the monitored network traffic includes performing a multi-stage detection.” ([DENG, para. 0038] “the selectively forwarded traffic can then be pushed to multiple security services in parallel (e.g., Adobe PDF and Microsoft Office files can be pushed to security services for DLP as well as inline Wildfire (static and dynamic/machine learning (ML)) analysis).”). Regarding claim 7, DENG-HEWLETT-LOMAN teaches all limitations of claim 1. LOMAN further teaches “wherein taking the remedial action includes generating a report that indicates one or more problematic portions of a payload.” (LOMAN, para. 0021] “the function call can be an internal call associated with any suitable action within the compute device For example, malware can initiate a malicious process that is a beacon that upon activation is configured to initiate a communication with an external entity such as, for example, a command-and-control center (C2 center)”) (LOMAN, para. 0003] “The MD interface is configured to provide a connection between the MD analysis device 101 and a compute device (e.g., compute devices 102-104) to send/receive information associated with one or more processes including monitoring activity (e.g., loading of programs in a first memory), identifying the first program associated with an identified function call and when it is loaded in a first memory … characterizing the potential malicious process or malware, and/or to determine or initiate one or more remedial measures based on the analysis, identification, classifying, or characterizing the potential malicious process or malware, and/or generating a report based on the detection and/or location of the malicious process.”). The same motivation to modify DENG-HEWLETT with LOMAN as in the rejection of claim 1 applies. Regarding claim 8, DENG-HEWLETT-LOMAN teaches all limitations of claim 1. DENG further teaches “wherein the remote service is configured to update a block list, at least in part, in response to the verdict.” ([DENG, para. 0065] “In the event an application is determined to be malicious, data appliances can be configured to automatically block the file download based on the analysis result. Further, a signature can be generated for the malware and distributed (e.g., to data appliances such as security platform 202) to automatically block future file transfer requests to download the file determined to be malicious.”) ([DENG, para. 0062] “security services 222 can provide to security platform 202 a set of signatures of known-malicious files (e.g., as part of a subscription). If a signature for a given malware is included in the set (e.g., an MD5 hash of the malware file, such as DOCX shown in FIG. 2A)”). Regarding claim 10, DENG-HEWLETT-LOMAN teaches all limitations of claim 1. LOMAN further teaches “wherein the processor is further configured to determine telemetry associated with obtaining the verdict.” ([LOMAN, para. 0094] “FIG. 7 is an example of an alert message 790, generated by an MD system described herein, according to an embodiment. The alert message 790 can be generated as part of a remedial measure following an identification of potential malware or a malicious process at a source location identified using the malware locating methods described herein. … The message can include any suitable information associated with the identification of the potential malware including code snippets, instructions, signatures used, time stamps, platform, application used, memory addresses involved, and/or the like.”). The same motivation to modify DENG-HEWLETT with LOMAN as in the rejection of claim 1 applies. Regarding claim 13, DENG-HEWLETT-LOMAN teaches all limitations of claim 10. LOMAN further teaches “wherein the collected telemetry includes which, of a plurality of forwarding criteria, was met by the monitored network traffic.” ([LOMAN, para. 0095] “For example, as shown in FIG. 7 , the second portion 793 can include communication parameters associated with the detected malicious process (e.g., communication parameters used by a beacon to make contact with a command- and -control (C2) server, the address of the C2 server with which the malicious process was attempting to connect, the user agent used to initiate communication with the C2 server (e.g., a string that identifies the browser that was used for the network communication), application parameters associated with communication to the C2 server, the process in which the malware is intended to be injected (e.g.: www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike/or boschko.ca/cobalt-strike-process-injection/), and a name of the ‘named pipe’ (e.g., Cobalt Strike can use both named and unnamed pipes to exchange data between the beacon and its sacrificial processes”). The same motivation to modify DENG-HEWLETT with LOMAN as in the rejection of claim 1 applies. Regarding claim 14, this claim recites of a method claim that corresponds to system claim 1. Therefore, claim 14 is rejected in a similar manner as in the rejection of claim 1. Regarding claim 15, this claim recites of a computer program product that corresponds to system claim 1. Therefore, claim 15 is rejected in a similar manner as in the rejection of claim 1. Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over DENG-HEWLETT-LOMAN in view of MCGREW (US-20200120107-A1). Regarding claim 5, DENG-HEWLETT-LOMAN teaches all limitations of claim 4. However, DENG-HEWLETT-LOMAN does not teach “wherein the multi-stage detection is associated with a potential Empire attack.”. In analogous teaching MCGREW teaches “wherein the multi-stage detection is associated with a potential Empire attack.” ([MCGREW, para. 0145] “Thus, security process 248 can leverage the above observations to build an active interference system that would change specific bytes in the outgoing client traffic of a suspect flow, and analyze the response. By applying the previous transformations to the Cookie or CF-RAY header, security process 248 can detect an Empire C&C channel with high efficacy”). Thus, given the teaching of MCGREW, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of empire attack by MCGREW into the teaching of a system to parse suspicious session traffic by DENG-HEWLETT-LOMAN. One of ordinary skill in the art would have been motivated to do so because MCGREW recognizes the need to efficiently prevent empire attacks ([MCGREW, para. 0145] “By applying the previous transformations to the Cookie or CF-RAY header, security process 248 can detect an Empire C&C channel with high efficacy.”). Regarding claim 6, DENG-HEWLETT-LOMAN teaches all limitations of claim 1. However, DENG-HEWLETT-LOMAN does not teach “wherein taking the remedial action includes dropping the session. In analogous teaching MCGREW teaches “wherein taking the remedial action includes dropping the session.” ([MCGREW, para. 0128] “a mitigation command 416 may cause a display device or other user interface to present an alert to a network administrator regarding the findings. In further cases, a mitigation command 416 may initiate automatic mitigation actions in the network, such as by blocking or redirecting traffic associated with the infected endpoint device and/or the server”). The same motivation to combine DENG-HEWLETT-LOMAN with MCGREW as in the rejection of claim 5 applies. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over DENG-HEWLETT-LOMAN in view of LEDDY (US-20200067861-A1). Regarding claim 9, DENG-HEWLETT-LOMAN teaches all limitations of claim 8. However, DENG-HEWLETT-LOMAN does not teach “wherein the processor is further configured to perform automated validation prior to updating the block list.”. In analogous teaching LEDDY teaches “wherein the processor is further configured to perform automated validation prior to updating the block list.” ([LEDDY, para. 0220] “Because the message was placed in the yellow bin, it is flagged for training potential. The training module is configured to select the message from the yellow bucket. … information indicating that the message was placed in the yellow bin due to an unrecognized URL (or a URL that was recently formed and/or not associated with a known brand) is also passed with the message.”) ([LEDDY, para. 0226] “In this example scenario, no filters in a filter set triggered. The message is passed to the training module 176 for further evaluation. In some embodiments, a manual evaluation is performed, and a filter update is performed. In other embodiments, the filter update is performed automatically”) ([LEDDY, para. 0120] “the training module is also configured to determine whether the rule will result in false positives. In some embodiments, false positives are determined based on a check against a ham repository, such as ham repository 178.”) ([LEDDY, para. 0121] “the training module is provided instructions on what filters/rules should be trained/updated/generated.”). Thus, given the teaching of LEDDY, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of validation prior to updating the block list by LEDDY into the teaching of a system to parse suspicious session traffic by DENG-HEWLETT-LOMAN. One of ordinary skill in the art would have been motivated to do so because LEDDY recognizes the need to efficiently protect users ([LEDDY, para. 0004] “There therefore exists an ongoing need to protect users against such evolving scams.”) ([LEDDY, para. 0056] “Described herein is a system that is configured to pre-validate electronic communications before they are seen by users. In some embodiments, the system described herein is an automated adaptive system that can protect users against evolving scams”). Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over DENG-HEWLETT-LOMAN in view of NENE (US-20200067861-A1). Regarding claim 11, DENG-HEWLETT-LOMAN teaches all limitations of claim 10. However, DENG-HEWLETT-LOMAN does not teach “wherein the collected telemetry includes a round trip time associated with obtaining the verdict.”. In analogous teaching NENE teaches “wherein the collected telemetry includes a round trip time associated with obtaining the verdict.” ([NENE, col. 2 lines 59-67, col. 3 lines 1-5] “the receiving service causes an entry to be added to a diagnostics log service. The diagnostics log service may include a separate diagnostics log for each of the services. The entry added to a respective service's diagnostics log may include the data flow token. A time stamp also may be included in the diagnostics log entry. The time stamp may be generated by the service that receive the packet and extracted the data flow token from the packet (or generated the token). The time stamp corresponds to the time that the service received the packet. Upon completion of its operation, the service updates the entry in its diagnostic log (or adds another entry) with another time stamp indicate of when the service completed its operation. The difference between the two time stamps provides a measure of the amount of time the service took to complete its operation.”). Thus, given the teaching of NENE, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of collected telemetry includes a round trip time by NENE into the teaching of a system to parse suspicious session traffic by DENG-HEWLETT-LOMAN. One of ordinary skill in the art would have been motivated to do so because NENE recognizes the debug and diagnose applications efficiently ([NENE, col. 1 lines 58-62] “Unfortunately, having a service provider host an application without requiring management of virtual machines and software stacks also makes it difficult by the application developer to debug and diagnose problems with an application.”) ([NENE, col. 8 lines 25-28] “Either way (for a data flow token generated from scratch or extracted from the packet), the method includes at 212 writing diagnostics data to a diagnostics log 140 corresponding to the service that received the packet”) ([NENE, col. 9 lines 46-50] “The diagnostics data stored in the diagnostics logs 140 can be analyzed for any of a variety of reasons. For example, the diagnostics log data can be analyzed to “recreate” a given data flow.”) Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over DENG-HEWLETT-LOMAN in view of BANSAL (US-20180276041-A1). Regarding claim 12, DENG-HEWLETT-LOMAN teaches all limitations of claim 10. However, DENG-HEWLETT-LOMAN does not teach “wherein the collected telemetry includes a determination of whether a quota of service value has been exceeded.”. In analogous teaching BANSAL teaches “wherein the collected telemetry includes a determination of whether a quota of service value has been exceeded.” ([BANSAL, para. 0016] “For a given time slot, embodiments determine whether each metered cloud service has a sufficient quota of operations available to execute respective metered transactions of each workload, and whether each non-metered cloud service has a sufficient processing load to execute respective non-metered transactions.”) ([BANSAL, para. 0220] “embodiments invoke the corresponding metadata endpoint to determine if any of the quota is available at 1408. If the expected number of invocations is more than the remaining quota (i.e., the needed quota is not available), then the workload is scheduled to be processed in the next time slot and functionality returns to 1404.”). Thus, given the teaching of BANSAL, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of quota of service value has been exceeded by BANSAL into the teaching of a system to parse suspicious session traffic by DENG-HEWLETT-LOMAN. One of ordinary skill in the art would have been motivated to do so because BANSAL recognizes the need for secure access to cloud based applications ([BANSAL, para. 0002] “Accordingly, there is a need for secure access to cloud-based applications, or applications located anywhere, regardless of from what device type or by what user type the applications are accessed.”) ([BANSAL, para. 0003] “The system determines a plurality of cloud services needed to execute each of the plurality of transactions, where at least one of the determined cloud services is a metered cloud service that executes metered transactions”). Pertinent Art The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. ANDERSON (US-20210194894-A1): This prior art teaches of a switch in a software-defined network receives a packet sent by an endpoint device via the SDN. The switch makes a copy of the packet based on one or more header fields of the packet matching one or more flow table entries of the switch. The switch forms telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet. The metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data. The switch sends the formed telemetry data to the traffic analysis service. WOODFORD (US-20190260794-A1): This prior art teaches of cyber security appliance has modules that utilize probes to interact with entities in a cloud infrastructure environment (CIE). A cloud module can 1) use the information about relevant changes in the CIE fed from the probes, and 2) use machine learning models that are trained on a normal behavior of at least a first entity associated with the CIE; and thus, indicate when a behavior of the first entity falls outside of being a normal pattern of life. A cyber threat module can use machine learning models trained on cyber threats in the CIE and examine at least the behaviors of the first entity falling outside of the normal pattern of life to determine what is a likelihood of ‘a chain of unusual behaviors under analysis that fall outside of being the normal behavior’ is a cyber threat. An autonomous response module can cause actions to contain the cyber threat. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.A./ 02/18/2026 /AFAQ ALI/Examiner, Art Unit 2434 /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434