METHOD FOR IDENTIFYING SUCCESSFUL ATTACK AND PROTECTION DEVICE

§102 §103

DETAILED ACTION Response to Amendment The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is in reply to papers filed on 2025-08-29. Claims 1-17, 21-23 are pending, following Applicant's cancellation of claims 18-20 and addition of new claims 21-23. Claims 1, 14, 21 is/are independent. Priority papers submitted under 35 U.S.C. § 119(a)-(d) and 35 U.S.C. § 365(a)-(c) are acknowledged. The rejection(s) of claims 18-20 under 35 U.S.C. § 101 are withdrawn in view of Applicant’s amendments. The rejection(s) of claims 1-20 under 35 U.S.C. § 101 are withdrawn in view of Applicant’s amendments. See Response to Arguments below. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Response to Arguments With respect to claim(s) 1-20 (see page(s) 9-13 of Applicant’s Remarks), Applicant argues that the claims are not ineligible under 35 U.S.C. § 101 as an abstract idea. Examiner finds that the claims herein are substantially similar to the claims in SRI Int’l, Inc. v. Cisco Systems, Inc., 930 F.3d 1295, 1304 (Fed. Cir. 2019). There, the court found that claims to collection and security analysis of network traffic were not directed to the abstract idea of a mental process because "the human mind is not equipped to detect suspicious activity by using network monitors and analyzing network packets as recited by the claims". MPEP § 2016(a)(2)(III)(A) quoting SRI Int’l, 930 F.3d at 1304. Applying this reasoning to the instant claims, step 2A of the subject matter eligibility analysis determines that the claims are not directed to an abstract idea. Accordingly, the rejection is withdrawn. Applicant’s arguments regarding the prior art have been fully considered but are moot in view of the new ground(s) of rejection. With respect to claim(s) 1 (see page(s) 14-15 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, Guofei Gu, M. Sharif, Xinzhou Qin, D. Dagon, W. Lee and G. Riley, "Worm detection, early warning and response based on local victim information," 20th Annual Computer Security Applications Conference, Tucson, pp. 136-145 (IEEE 2004) (hereinafter "Gu 2004") in view of U.S. Publication 20210194853 to Xiao et al. (hereinafter "Xiao '853")) does not disclose, in the recited context: detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet the association condition comprises comparing the attack data and the identifier of the attacked host with information obtained from the second data flow. However, Gu 2004 teaches using the address of the attacked host to determine whether second flows are further propagation of an attack [Gu 2004 § 3.3]. Examiner agrees that Gu 2004 does not disclose deep inspection of the payload data of a flow to obtain attack data from the payload. However, Xiao '853 teaches this subject matter. Xiao '853 discloses using not only the initial victim host's address, but also content extracted from the payload, including a port number, file, URL, or artifact (which is then correlated to a malware signature), [Xiao '853 ¶ 0099, 0030, 0109, 0123, 0128, Fig. 8] to determine whether outbound traffic from the initial victim is further propagation of an attack [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]. Applicant's arguments fail to engage with these disclosures from Xiao '853. Accordingly, Applicant's arguments are unpersuasive. Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above. Summary of Claim Rejections under 35 U.S.C. § 103 The following table summarizes the rejections set forth in detail below of the claims over the prior art. Claim No. Gu 2004 in view of Xiao '853 Gu 2004 in view of Xiao '853 in view of Kang '136 Gu 2004 in view of Xiao '853 in view of Korsunsky '869 1 [Wingdings font/0xFC] 2 [Wingdings font/0xFC] 3 [Wingdings font/0xFC] 4 [Wingdings font/0xFC] 5 [Wingdings font/0xFC] 6 [Wingdings font/0xFC] 7 [Wingdings font/0xFC] 8 [Wingdings font/0xFC] 9 [Wingdings font/0xFC] 10 [Wingdings font/0xFC] 11 [Wingdings font/0xFC] 12 [Wingdings font/0xFC] 13 [Wingdings font/0xFC] 14 [Wingdings font/0xFC] 15 [Wingdings font/0xFC] 16 [Wingdings font/0xFC] 17 [Wingdings font/0xFC] 21 [Wingdings font/0xFC] 22 [Wingdings font/0xFC] 23 [Wingdings font/0xFC] Claim Rejections - 35 U.S.C. § 103 The following is a quotation of the appropriate paragraphs of AIA 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of AIA 35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1-9, 14-17, 21-23 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Guofei Gu, M. Sharif, Xinzhou Qin, D. Dagon, W. Lee and G. Riley, "Worm detection, early warning and response based on local victim information," 20th Annual Computer Security Applications Conference, Tucson, pp. 136-145 (IEEE 2004) (hereinafter "Gu 2004") in view of U.S. Publication 20210194853 to Xiao et al. (hereinafter "Xiao '853"). Gu 2004 is prior art to the claims under 35 U.S.C. § 102(a)(1). Xiao '853 is prior art to the claims under 35 U.S.C. § 102(a)(2). Per claim 1 (independent): Gu 2004 discloses a method comprising performing, by a network apparatus, attack detection on a first data flow ("a host that previously received a scan on an identical port" [Gu 2004 § 3.1]; identifies each local host in network traffic targeted by previous scanning behavior [Gu 2004 § 3.1]) Gu 2004 does not disclose in response to an attack event being detected in the first data flow, extracting attack data from payload content of the first data flow, and obtaining an identifier of an attacked host from a packet header of the first data flow However, Gu 2004 discloses in response to an attack event being detected in the first data flow, extracting attack data from the first data flow, and obtaining an identifier of an attacked host from a packet header of the first data flow (identifies each local host in network traffic targeted by previous scanning behavior [Gu 2004 § 3.1]) Gu 2004 discloses obtaining a second data flow, wherein the second data flow is a data flow transmitted after the attack event occurs in the first data flow (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]) Gu 2004 does not disclose detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet an association condition However, Gu 2004 discloses detecting, based on flow data and the identifier of the attacked host, whether the second data flow and the first data flow meet an association condition (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]) Gu 2004 does not disclose detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet the association condition comprises comparing the attack data and the identifier of the attacked host with information obtained from the second data flow However, Gu 2004 discloses detecting, based on flow data and the identifier of the attacked host, whether the second data flow and the first data flow meet the association condition comprises comparing flow data and the identifier of the attacked host with information obtained from the second data flow (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]) Gu 2004 discloses in response to the second data flow and the first data flow meeting the association condition, determining that the attack event is a successfully executed attack event (if outgoing traffic from the targeted host shows behavioral anomalies exceeding normal, declare targeted host infected [Gu 2004 § 3.3, 3.1]) Further: Xiao '853 discloses in response to an attack event being detected in the first data flow, extracting attack data from payload content of the first data flow, and obtaining an identifier of an attacked host from a packet header of the first data flow (extracts suspect payload comprising, e.g. address. port, file, URL [Xiao '853 ¶ 0099, 0030, 0109, 0123, 0128, Fig. 8]; monitors outgoing traffic to identify outbound traffic from victim indicative of compromise [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]) Xiao '853 discloses detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet an association condition (extracts suspect payload comprising, e.g. address. port, file, URL [Xiao '853 ¶ 0099, 0030, 0109, 0123, 0128, Fig. 8]; monitors outgoing traffic to identify outbound traffic from victim indicative of compromise [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]) Xiao '853 discloses detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet the association condition comprises comparing the attack data and the identifier of the attacked host with information obtained from the second data flow (extracts suspect payload comprising, e.g. address. port, file, URL [Xiao '853 ¶ 0099, 0030, 0109, 0123, 0128, Fig. 8]; monitors outgoing traffic to identify outbound traffic from victim indicative of compromise [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]) It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: in response to an attack event being detected in the first data flow, extracting attack data from payload content of the first data flow, and obtaining an identifier of an attacked host from a packet header of the first data flow detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet an association condition detecting, based on the attack data and the identifier of the attacked host, whether the second data flow and the first data flow meet the association condition comprises comparing the attack data and the identifier of the attacked host with information obtained from the second data flow A person having ordinary skill in the art would have been motivated to combine them at least because using the payload inspection and attack type patterns of Xiao '853 would have allowed the flow correlation detection system of Gu 2004 to accurately classify a much wider range of attack types. A person having ordinary skill in the art would have been further motivated to combine them at least because Xiao '853 teaches [Xiao '853 ¶ 0099, 0030, 0106, 0109, 0123, 0128, Fig. 8 and accompanying text; ¶ 0022, 0030, 0049, 0084] modifying a flow correlation detection system [Gu 2004 § 3] such as that of Gu 2004 to arrive at the claimed invention; because Gu 2004 and Xiao '853 are in the same field of endeavor; because doing so constitutes use of a known technique (payload analysis and attack types [Xiao '853 ¶ 0099, 0030, 0106, 0109, 0123, 0128, Fig. 8 and accompanying text; ¶ 0022, 0030, 0049, 0084]) to improve similar devices and/or methods (flow correlation detection system [Gu 2004 § 3] ) in the same way; because doing so constitutes applying a known technique (payload analysis and attack types [Xiao '853 ¶ 0099, 0030, 0106, 0109, 0123, 0128, Fig. 8 and accompanying text; ¶ 0022, 0030, 0049, 0084]) to known devices and/or methods (flow correlation detection system [Gu 2004 § 3] ) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (flow correlation detection system [Gu 2004 § 3] classifies anomalies as attacks using payload analysis and attack types [Xiao '853 ¶ 0099, 0030, 0106, 0109, 0123, 0128, Fig. 8 and accompanying text; ¶ 0022, 0030, 0049, 0084]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion. Per claim 2 (dependent on claim 1): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gu 2004 discloses a transmission time interval between the second data flow and the first data flow is less than or equal to a time window (time window [Gu 2004 § 3.1]) Per claim 3 (dependent on claim 1): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gu 2004 discloses the identifier of the attacked host is determined based on destination address information of a responder of the first data flow, the attacked host is located in a local area network, and the first data flow is initiated by an attack host located in the internet to the attacked host (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]; simulation environment including initiating attacker was an internet [Gu 2004 § 4.5]) Per claim 4 (dependent on claim 1): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gu 2004 does not disclose the attack data comprises an identifier of a specified object Further: Xiao '853 discloses the attack data comprises an identifier of a specified object (extracts suspect payload comprising address of command and control host [Xiao '853 ¶ 0099, 0123, 0128, Fig. 8]; monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control host [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: the attack data comprises an identifier of a specified object Per claim 5 (dependent on claim 4): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 4 above, incorporated herein by reference Gu 2004 does not disclose [or] the specified object is a specified host, and the identifier of the specified object is an address of the specified host Gu 2004 does not disclose [or] the specified object is a specified file stored in the attacked host, and the identifier of the specified object is an identifier of the specified file Gu 2004 does not disclose [or] the specified object is a specified resource, and an identifier of the specified resource is a locator of the specified resource Gu 2004 does not disclose or the specified object [extracted from the payload] is a specified port, and the identifier of the specified object is a port number of the specified port However, Gu 2004 discloses or an extracted object is a specified port, and the identifier of the specified object is a port number of the specified port (monitors whether host targeted on a given port/protocol begins scanning other local hosts on same port/protocol [Gu 2004 § 1, §3.0]) Further: Xiao '853 discloses [or] the specified object is a specified host, and the identifier of the specified object is an address of the specified host (extracts suspect payload comprising address of command and control host [Xiao '853 ¶ 0099, 0123, 0128, Fig. 8]; monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control host [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]) Xiao '853 discloses1 [or] the specified object is a specified resource, and an identifier of the specified resource is a locator of the specified resource (monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control host [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]; extracts URL used in attack, e.g. to supply commands via HTTP to reverse shell [Xiao '853 ¶ 0030, 0109, 0128]) Xiao '853 discloses or the specified object is a specified port, and the identifier of the specified object is a port number of the specified port (extracts port number for monitoring [Xiao '853 ¶ 0087, 0092, 0094, 0109, 0128]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: the specified object is a specified host, and the identifier of the specified object is an address of the specified host the specified object is a specified resource, and an identifier of the specified resource is a locator of the specified resource the specified object is a specified port, and the identifier of the specified object is a port number of the specified port Per claim 6 (dependent on claim 5): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference Gu 2004 does not disclose the attack event comprises a reverse shell attack, the specified host is a control end of a reverse shell, the address of the specified host in the attack data is an address of the control end of the reverse shell, and the reverse shell attack is an attack initiated by the attacked host by sending a request to the control end Further: Xiao '853 discloses the attack event comprises a reverse shell attack, the specified host is a control end of a reverse shell, the address of the specified host in the attack data is an address of the control end of the reverse shell, and the reverse shell attack is an attack initiated by the attacked host by sending a request to the control end (extracts suspect payload [Xiao '853 ¶ 0099, 0123, 0128, Fig. 8]; monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: the attack event comprises a reverse shell attack, the specified host is a control end of a reverse shell, the address of the specified host in the attack data is an address of the control end of the reverse shell, and the reverse shell attack is an attack initiated by the attacked host by sending a request to the control end Per claim 7 (dependent on claim 6): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference Gu 2004 discloses the identifier of the attacked host comprises an IP address of the attacked host, and the second data flow and the first data flow meeting the association condition comprises an internet protocol IP address of an initiator of the second data flow comprises the IP address of the attacked host, and an address of a responder of the second data flow is the address of the control end of the reverse shell (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]; simulation environment including initiating attacker was an internet [Gu 2004 § 4.5]) Per claim 8 (dependent on claim 5): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference Gu 2004 does not disclose the attack event comprises an outgoing request attack, the attack data comprises a locator of a resource on a specified host in the internet, and the outgoing request attack is an attack initiated by the attacked host by requesting the resource on the specified host in the internet Further: Xiao '853 discloses the attack event comprises an outgoing request attack, the attack data comprises a locator of a resource on a specified host in the internet, and the outgoing request attack is an attack initiated by the attacked host by requesting the resource on the specified host in the internet (monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control host [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]; extracts URL used in attack, e.g. to supply commands via HTTP to reverse shell [Xiao '853 ¶ 0030, 0109, 0128]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: the attack event comprises an outgoing request attack, the attack data comprises a locator of a resource on a specified host in the internet, and the outgoing request attack is an attack initiated by the attacked host by requesting the resource on the specified host in the internet Per claim 9 (dependent on claim 8): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference Gu 2004 does not disclose the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises an IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the internet, and a protocol on which the second data flow is based is a protocol for a payload of the first data flow However, Gu 2004 discloses the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises an IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the internet, and a port on which the second data flow is based is a port for a exploit of the first data flow (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]; simulation environment including initiating attacker was an internet [Gu 2004 § 4.5]; monitors whether host targeted on a given port/protocol begins scanning other local hosts on same port/protocol [Gu 2004 § 1, §3.0]) Further: Xiao '853 discloses the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises an IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the internet, and a protocol on which the second data flow is based is a protocol for a payload of the first data flow (monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control host [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]; extracts URL used in attack, e.g. to supply commands via HTTP to reverse shell [Xiao '853 ¶ 0030, 0109, 0128]; monitors protocols, e.g. "HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols, such as Telnet, DHCP, TCP, UDP, and TFTP (GSS))" [Xiao '853 ¶ 0022, 0030, 0049, 0084]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises an IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the internet, and a protocol on which the second data flow is based is a protocol for a payload of the first data flow Per claim 14 (independent): Gu 2004 does not disclose a protection device comprising a non-transitory memory storing a program code; a network interface; and at least one processor in communication with the non-transitory memory, wherein the one or more processors execute the program code The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Further: Xiao '853 discloses a protection device comprising a non-transitory memory storing a program code; a network interface; and at least one processor in communication with the non-transitory memory, wherein the one or more processors execute the program code (processor(s), memory, computer readable media, storage, executable instructions [Xiao '853 ¶ 0015, 0071, 0107, 0113-0119]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: a protection device comprising a non-transitory memory storing a program code; a network interface; and at least one processor in communication with the non-transitory memory, wherein the one or more processors execute the program code Per claim 15 (dependent on claim 14): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 16 (dependent on claim 14): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 17 (dependent on claim 16): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 or 8 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 21 (independent): Gu 2004 does not disclose a non-transitory computer-readable storage medium, wherein storage medium is coupled to one or more processors and storing programming instructions for execution by the one or more processors, the programming instructions instruct the one or more processors to perform operations The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Further: Xiao '853 discloses a non-transitory computer-readable storage medium, wherein storage medium is coupled to one or more processors and storing programming instructions for execution by the one or more processors, the programming instructions instruct the one or more processors to perform operations (processor(s), memory, computer readable media, storage, executable instructions [Xiao '853 ¶ 0015, 0071, 0107, 0113-0119]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: a non-transitory computer-readable storage medium, wherein storage medium is coupled to one or more processors and storing programming instructions for execution by the one or more processors, the programming instructions instruct the one or more processors to perform operations Per claim 22 (dependent on claim 21): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 21 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 23 (dependent on claim 21): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Claim(s) 10-11 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Gu 2004 in view of Xiao '853 in view of U.S. Publication 20200314136 to Kang et al. (hereinafter "Kang '136"). Kang '136 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2). Per claim 10 (dependent on claim 5): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference Gu 2004 does not disclose the attack event comprises a server-side request forgery (SSRF) attack, the attack data comprises a locator of a resource on a specified host in a local area network, and the SSRF attack is an attack initiated by the attacked host by requesting the resource on the specified host in the local area network Further: Kang '136 discloses the attack event comprises a server-side request forgery (SSRF) attack, the attack data comprises a locator of a resource on a specified host in a local area network, and the SSRF attack is an attack initiated by the attacked host by requesting the resource on the specified host in the local area network (monitors attempts at suspect URL by simulated compromised server to extract information from victim server in SSRF attack [Kang '136 ¶ 0034, 0041, 0057, Fig. 8 and related text]) It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 in view of Kang '136 with the attack types of Kang '136 to arrive at an apparatus, method, and product including: the attack event comprises a server-side request forgery (SSRF) attack, the attack data comprises a locator of a resource on a specified host in a local area network, and the SSRF attack is an attack initiated by the attacked host by requesting the resource on the specified host in the local area network A person having ordinary skill in the art would have been motivated to combine them at least because using the attack type patterns of Kang '136 would have allowed the flow correlation detection system of Gu 2004 to accurately classify a wider range of attack types. A person having ordinary skill in the art would have been further motivated to combine them at least because Kang '136 teaches [Kang '136 ¶ 0034, 0041, 0057, Fig. 8 and related text] modifying a flow correlation detection system [Gu 2004 § 3] such as that of Gu 2004 to arrive at the claimed invention; because Gu 2004 and Kang '136 are in the same field of endeavor; because doing so constitutes use of a known technique (attack types [Kang '136 ¶ 0034, 0041, 0057, Fig. 8 and related text]) to improve similar devices and/or methods (flow correlation detection system [Gu 2004 § 3] ) in the same way; because doing so constitutes applying a known technique (attack types [Kang '136 ¶ 0034, 0041, 0057, Fig. 8 and related text]) to known devices and/or methods (flow correlation detection system [Gu 2004 § 3] ) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (flow correlation detection system [Gu 2004 § 3] classifies anomalies as attacks using attack types [Kang '136 ¶ 0034, 0041, 0057, Fig. 8 and related text]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion. Per claim 11 (dependent on claim 10): Gu 2004 in view of Xiao '853 in view of Kang '136 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference Gu 2004 does not disclose the identifier of the attacked host comprises an IP address of the attacked host, and the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises the IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the local area network, and a protocol on which the second data flow is based is a protocol for a payload of the first data flow However, Gu 2004 discloses the identifier of the attacked host comprises an IP address of the attacked host, and the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises the IP address of the attacked host, the second data flow comprises the host in the local area network, and a port on which the second data flow is based is a port of the first data flow (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]; simulation environment including initiating attacker was an internet [Gu 2004 § 4.5]; monitors whether host targeted on a given port/protocol begins scanning other local hosts on same port/protocol [Gu 2004 § 1, §3.0]) Further: Xiao '853 discloses the identifier of the attacked host comprises an IP address of the attacked host, and the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises the IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the local area network, and a protocol on which the second data flow is based is a protocol for a payload of the first data flow (monitors outgoing traffic to identify successful reverse shell attacks communicating outward with address of command and control host [Xiao '853 ¶ 0106, 0109, 0123, Fig. 8]; extracts URL used in attack, e.g. to supply commands via HTTP to reverse shell [Xiao '853 ¶ 0030, 0109, 0128]; monitors protocols, e.g. "HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols, such as Telnet, DHCP, TCP, UDP, and TFTP (GSS))" [Xiao '853 ¶ 0022, 0030, 0049, 0084]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 with the payload analysis and attack types of Xiao '853 to arrive at an apparatus, method, and product including: the identifier of the attacked host comprises an IP address of the attacked host, and the second data flow and the first data flow meeting the association condition comprises an IP address of an initiator of the second data flow comprises the IP address of the attacked host, the second data flow comprises the locator of the resource on the specified host in the local area network, and a protocol on which the second data flow is based is a protocol for a payload of the first data flow Claim(s) 12-13 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Gu 2004 in view of Xiao '853 in view of U.S. Publication 20110213869 to Korsunsky et al. (hereinafter "Korsunsky '869"). Korsunsky '869 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2). Per claim 12 (dependent on claim 5): Gu 2004 in view of Xiao '853 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference Gu 2004 does not disclose the attack event comprises a file implantation attack, the specified file is a Trojan horse file, the identifier of the specified file in the attack data is a file name of the Trojan horse file on the attacked host, and the file implantation attack is an attack initiated by implanting the Trojan horse file into the attacked host Further: Korsunsky '869 discloses the attack event comprises a file implantation attack, the specified file is a Trojan horse file, the identifier of the specified file in the attack data is a file name of the Trojan horse file on the attacked host, and the file implantation attack is an attack initiated by implanting the Trojan horse file into the attacked host (determines successful attack if targeted host begins sending out characteristic suspicious traffic [Korsunsky '869 ¶ 0550-0563]; trojan horse attack causes targeted host to request trojan file [Korsunsky '869 ¶ 0453, 0511, 0537) It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gu 2004 in view of Korsunsky '869 with the attack types of Korsunsky '869 to arrive at an apparatus, method, and product including: the attack event comprises a file implantation attack, the specified file is a Trojan horse file, the identifier of the specified file in the attack data is a file name of the Trojan horse file on the attacked host, and the file implantation attack is an attack initiated by implanting the Trojan horse file into the attacked host A person having ordinary skill in the art would have been motivated to combine them at least because using the attack type patterns of Korsunsky '869 would have allowed the flow correlation detection system of Gu 2004 to accurately classify a wider range of attack types. A person having ordinary skill in the art would have been further motivated to combine them at least because Korsunsky '869 teaches [Korsunsky '869 ¶ 0453, 0511, 0537, 0550-0563] modifying a flow correlation detection system [Gu 2004 § 3] such as that of Gu 2004 to arrive at the claimed invention; because Gu 2004 and Korsunsky '869 are in the same field of endeavor; because doing so constitutes use of a known technique (attack types [Korsunsky '869 ¶ 0453, 0511, 0537, 0550-0563]) to improve similar devices and/or methods (flow correlation detection system [Gu 2004 § 3] ) in the same way; because doing so constitutes applying a known technique (attack types [Korsunsky '869 ¶ 0453, 0511, 0537, 0550-0563]) to known devices and/or methods (flow correlation detection system [Gu 2004 § 3] ) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (flow correlation detection system [Gu 2004 § 3] classifies anomalies as attacks using attack types [Korsunsky '869 ¶ 0453, 0511, 0537, 0550-0563]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion. Per claim 13 (dependent on claim 12): Gu 2004 in view of Xiao '853 in view of Korsunsky '869 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference Gu 2004 discloses the identifier of the attacked host comprises an IP address of the attacked host, and the second data flow and the first data flow meeting the association condition comprises an address of a responder of the second data flow comprises the IP address of the attacked host, and the second data flow comprises a successful access request for the Trojan horse file (monitor outgoing traffic from the targeted host for behavioral anomalies, e.g. port scanning behavior [Gu 2004 § 3.3]; simulation environment including initiating attacker was an internet [Gu 2004 § 4.5]) Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475. The examiner can normally be reached on MTWRF 7:30-4:30. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form. /THEODORE C PARSONS/Primary Examiner, Art Unit 2494 1 Examiner notes that the limitation "the specified object is a specified file stored in the attacked host, and the identifier of the specified object is an identifier of the specified file" is one option among several in claim 5. Nevertheless, to advance compact prosecution, Examiner notes that Korsunsky '869 discloses or the specified object is a specified file stored in the attacked host, and the identifier of the specified object is an identifier of the specified file (determines successful attack if targeted host begins sending out characteristic suspicious traffic [Korsunsky '869 ¶ 0550-0563]; trojan horse attack causes targeted host to request trojan file [Korsunsky '869 ¶ 0453, 0511, 0537]) See rejection of claims 12-13 below for further details.