DETAILED ACTION
1. This action is responsive to an amendment filed on 11/20/2025.
2. Claims 1-20 are pending. Claims 1, 6 and 13 are independent. Claims 1, 4, 6, 9, 13 and 16 are currently amended. Amendments to the claims have been entered.
Response to Arguments
3. Regarding objections to claims 11 and 18, Applicant stated that “eBPF is not officially an acronym due to expanded functionality beyond simply extending the Berkley Packet Filter.” Regardless whether this statement is true, the abbreviation “eBPF” should be spelled out before being used in the claims.
4. Rejections under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, are removed due to amendment.
5. Applicant’s arguments regarding rejections under 35 U.S.C. § 103 are not persuasive based on new ground(s) of rejection that is necessitated by the amendment.
Claim Objections
6. Claims 11 and 18 are objected to for informalities. Claims 11 and 18 both recite “eBPF”. The abbreviation “eBPF” was not spelled out before being used in the claims; therefore, claims 11 and 18 are objected to for informalities.
Claim Rejections - 35 USC § 103
7. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
8. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
9. Claims 1, 3-6, 8, 9, 11-13, 15, 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Viswambharan (US PG Pub. 2023/0198964) in view of Schilling (US PG Pub. 2017/0149807).
As regarding claim 1, Viswambharan discloses A method comprising:
generating, at a kernel space, a one or more feature values from network traffic to the data link layer of a network stack [para. 88-90];
Viswambharan does not explicitly disclose the one or more feature values comprise inputs to a machine learning model in user space; however, Schilling discloses it [para. 63 and 90-91; metadata input into analysis tool 132 in user space wherein the analysis tool 132 analyzes data using machine learning algorithm].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Viswambharan’s system to further comprise inputs to a machine learning model in user space, as disclosed by Schilling, to determine whether the metadata associated with a compromised virtual machine [Schilling para. 93-94].
Viswambharan and Schilling further disclose passing the one or more feature values from the kernel space to a user space, wherein the user space processes network traffic at the application layer of the network stack [Viswambharan para. 119; passing data from eBPF map database to TA assistant];
inputting the one or more feature values into the machine learning model at the user space to obtain a verdict as output, wherein the verdict indicates malicious or benign network traffic [Viswambharan para. 44 and 90; determining malicious traffic || para. 46 and 57; updating the eBPF map database]; and
passing the verdict from the user space to the kernel space [Viswambharan para. 46 and 57; updating the eBPF map database].
As regarding claim 3, Viswambharan and Schilling further disclose The method of claim 1, wherein the one or more feature values are generated based, at least in part, on values extracted from fields of protocol data units of the network traffic [Viswambharan para. 65; map data].
As regarding claim 4, Viswambharan and Schilling further disclose The method of claim 3, wherein the extracted values comprise at least one of destination Internet Protocol addresses, protocol types, and destination ports [Viswambharan para. 29 and 65; port IP address], HyperText Transfer Protocol cookies, Uniform Resource Locators, hostnames, Server Name Indications, and Domain Name System records.
As regarding claim 5, Viswambharan and Schilling further disclose The method of claim 3, wherein the one or more feature values are generated, based, at least in part, on fields extracted from protocol data units of the network traffic [Viswambharan para. 65; map data].
As regarding claims 6, Viswambharan discloses A non-transitory machine-readable medium having program code stored thereon, the program code comprising instructions to:
attach one or more code hooks with a virtual machine executing on the machine- readable medium to a network interface of the machine-readable medium at the data link layer of a network stack [para. 23 and 88-90];
based on receipt of network traffic at the network interface triggering a first of the one or more code hooks, generate one or more feature values of the network traffic [para. 88-90 and 86];
communicate the one or more feature values from the kernel space to a user space of the machine-readable medium [Viswambharan para. 119; passing data from eBPF map database to TA assistant];
input the one or more feature values to obtain a verdict of the network traffic as output, wherein the verdict indicates malicious or benign network traffic [Viswambharan para. 44 and 90; determining malicious traffic || para. 46 and 57; updating the eBPF map database];
Viswambharan does not explicitly disclose inputting the one or more feature values into a machine learning model in user space; however, Schilling discloses it [para. 63 and 90-91; metadata input into analysis tool 132 in user space wherein the analysis tool 132 analyzes data using machine learning algorithm].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Viswambharan’s system to further comprise inputting the one or more feature values into a machine learning model in user space, as disclosed by Schilling, to determine whether the metadata associated with a compromised virtual machine [Schilling para. 93-94].
Viswambharan and Schilling further disclose communicate the verdict from the user space of the machine-readable medium to the virtual machine [Viswambharan para. 46 and 57].
As regarding claim 8, Viswambharan and Schilling further disclose The non-transitory machine-readable medium of claim 6, wherein the one or more feature values are generated based on values extracted from protocol data unit fields of the network traffic [Viswambharan para. 56, 65 and 73].
As regarding claim 9, Viswambharan and Schilling further disclose The non-transitory machine-readable medium of claim 8, wherein the extracted values comprise at least one of destination Internet Protocol addresses, protocol types [para. 42], and destination ports [Viswambharan para. 29 and 65; port IP address], HyperText Transfer Protocol cookies, Uniform Resource Locators, hostnames, Server Name Indications, and Domain Name System records.
As regarding claim 11, Viswambharan and Schilling further disclose The non-transitory machine-readable medium of claim 6, wherein the instructions to attach the one or more code hooks from the kernel space to the network interface comprise instructions to attach the one or more code hooks with eBPF [Viswambharan para. 23 and 88-90].
As regarding claim 12, Viswambharan and Schilling further disclose The non-transitory machine-readable medium of claim 6, further comprising instructions to, based on passing a malicious verdict from the user space to the kernel space, throttle the network traffic at the network interface [Viswambharan para. 44 and 90; dropping malicious traffic].
As regarding claim 13, Viswambharan discloses An apparatus comprising:
a processor [para. 118];
a network interface [para. 118]; and a
machine-readable medium, the machine-readable medium having instructions stored thereon that are executable by the processor [para. 118] to cause the apparatus to:
receive network traffic at the network interface, wherein the network traffic comprises network traffic at the data link layer of a network stack implementation for the apparatus [para. 88-90];
based on receipt of the network traffic triggering a first of one or more code hooks, process the network traffic to generate one or more feature values of the network traffic [para. 88-90 and 86];
pass the one or more feature value from the data link layer to the application layer of the network stack implementation [para. 90];
input the one or more feature values into the application layer of the network stack implementation to obtain a verdict for the network traffic, wherein the verdict indicates whether the network traffic is malicious or benign [Viswambharan para. 44 and 90; determining malicious traffic || para. 46 and 57; updating the eBPF map database];
Viswambharan does not explicitly disclose inputting the one or more feature values into a machine learning model; however, Schilling discloses it [para. 63 and 90-91; metadata input into analysis tool 132 in user space wherein the analysis tool 132 analyzes data using machine learning algorithm].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Viswambharan’s system to further comprise inputting the one or more feature values into a machine learning model, as disclosed by Schilling, to determine whether the metadata associated with a compromised virtual machine [Schilling para. 93-94].
Viswambharan and Schilling further disclose pass the verdict from the application layer to the data link layer of the network stack implementation [Viswambharan para. 46 and 57; updating the eBPF map database].
As regarding claim 15, Viswambharan and Schilling further disclose The apparatus of claim 13, wherein the one or more feature values are generated based on values extracted from protocol data unit fields of the network traffic [Viswambharan para. 56, 65 and 73].
As regarding claim 16, Viswambharan and Schilling further disclose The apparatus of claim 15, wherein the extracted values comprise at least one of destination Internet Protocol addresses, protocol types [para. 42], and destination ports [Viswambharan para. 29 and 65; port IP address], HyperText Transfer Protocol cookies, Uniform Resource Locators, hostnames, Server Name Indications, and Domain Name System records.
As regarding claim 18, Viswambharan and Schilling further disclose The apparatus of claim 13, further comprising instructions executable by the processor to cause the apparatus to attach the one or more code hooks at the network interface with an in-kernel virtual machine with eBPF, wherein the one or more code hooks receive and redirect protocol data units of the network traffic from the network interface [Viswambharan para. 60].
As regarding claim 19, Viswambharan and Schilling further disclose The apparatus of claim 13, wherein the network interface comprises a network interface card [Viswambharan para. 82-83].
As regarding claim 20, Viswambharan and Schilling further disclose The apparatus of claim 13, further comprising instructions executable by the processor to cause the apparatus to, based on passing a malicious verdict from the application layer to the data link layer of the network stack implementation, throttle the network traffic at the network interface [Viswambharan para. 44 and 90; dropping malicious traffic].
10. Claims 2, 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Viswambharan (US PG Pub. 2023/0198964) in view of Schilling (US PG Pub. 2017/0149807) further in view of Masputra (US PG Pub. 2019/0306282).
As regarding claim 2, Viswambharan and Schilling disclose The method of claim 1, wherein passing the one or more feature values from kernel space to the user space [Viswambharan para. 88-90]
Viswambharan and Schilling do not disclose passing the one or more feature values in zero-copy shared memory, and wherein passing the verdict from the user space to the kernel space comprises passing the verdict in the zero-copy shared memory. However, Masputra discloses it [para. 46].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Viswambharan and Schilling’s system to further comprise the missing claim features, as disclosed by Masputra, to make the system more efficient by not requiring copying of data between two processes or between kernel and trusted first-party apps [Masputra para. 46].
As regarding claim 7, Viswambharan, Schilling and Masputra further disclose The non-transitory machine-readable medium of claim 6, wherein the instructions to communicate the one or more feature values from the kernel space to the user space [Viswambharan para. 119; passing data from eBPF map database to TA assistant] and the instructions to communicate the verdict from the user space to the kernel space comprise instructions to pass the one or more feature values and the verdict [Viswambharan para. 46 and 57; updating the eBPF map database], respectively, in zero-copy shared memory [Masputra para. 46].
As regarding claim 14, Viswambharan, Schilling and Masputra further disclose The apparatus of claim 13, wherein the instructions to pass the one or more feature values from the data link layer to the application layer [Viswambharan para. 119; passing data from eBPF map database to TA assistant] and the instructions to pass the verdict from the application layer to the data link layer of the network stack implementation comprise instructions executable by machine-readable medium to cause the apparatus to pass the one or more feature values and the verdict [Viswambharan para. 46 and 57; updating the eBPF map database], respectively, in zero-copy shared memory [Masputra para. 46].
11. Claims 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Viswambharan (US PG Pub. 2023/0198964) in view of Schilling (US PG Pub. 2017/0149807) in view of Masputra (US PG Pub. 2019/0306282) and further in view of Weber (US PG Pub. 2024/0223607).
As regarding claims 10 and 17, Viswambharan, Schilling and Masputra do not disclose that the machine learning model comprises at least one of a string-matching model, a random forest model, a neural network model, and a gradient boosting model. However, Weber discloses it [para. 67].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Viswambharan, Schilling and Masputra’s machine learning model to further comprise at least one of a string-matching model, a random forest model, a neural network model, and a gradient boosting model, as disclosed by Weber, as one of plurality alternative machine learning algorithms that would be used in the system.
Conclusion
Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905. The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433