DETAILED ACTION
This action is responsive to RCE filed on December 1st, 2025.
Claims 1~20 are examined.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/01/25 has been entered.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1~20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1~4, 8~11, and 15~18 are rejected under 35 U.S.C. 103 as being unpatentable over Vejman et al. hereinafter Vejman (U.S. 2020/0236131) in view of Anderson et al. hereinafter Anderson (U.S 2019/0245866).
Regarding Claim 1,
Vejman taught a method, comprising:
extracting encrypted traffic from communication logs for a network [¶38, encrypted traffic analytics process 248 may assess the captured telemetry data on a per-flow basis or based on their sources, destinations, temporal characteristics (e.g., flows that occur around the same time, etc.), combinations thereof];
identifying, from the encrypted traffic, while still encrypted, traffic patterns for users of the network [¶47, the encrypted traffic analytics service constructs one or more patterns of encrypted traffic using the captured telemetry data from a time period associated with the received indication. The encrypted traffic analytics service uses the one or more patterns of encrypted traffic to detect malware]; and
classifying, via a machine learning model, the encrypted traffic as benign traffic or malicious traffic without decrypting the encrypted traffic according to the connection patterns identified [¶37, using an RNN to classify captured telemetry data regarding encrypted network traffic; ¶46].
Vejman did not specifically teach extracting, identifying, classifying encrypted Tor traffic including identifying, from the encrypted traffic, while still encrypted, traffic patterns for users of the network to Tor-based networks via entry guards that are classified as benign.
Anderson taught extracting, identifying, classifying encrypted Tor traffic including identifying, from the encrypted traffic, while still encrypted, traffic patterns for users of the network to Tor-based networks via entry guards that are classified as benign [¶84, captured traffic data 416 make use of Tor protocol; ¶91, client creates a Tor connection by first negotiating a TLS handshake with a Tor entry node; ¶110, malware detector 516 include a machine learning-based classifier that is configured to classify the traffic as either malware-related or benign. In other words, even though the traffic remains encrypted, traffic analysis process 248 may determine whether the encrypted traffic is likely malware-related; ¶34, traffic analysis process 248 may classify the gathered telemetry data to detect traffic pattern changes].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Anderson’s teaching of limitations with the teachings of Vejman, because the combination would allow for many of the underlying HTTP protocol features to be inferred from encrypted traffic, without compromising the HTTPS encryption itself, thus the privacy of the user remains intact [Anderson: ¶127].
Regarding Claim 2,
Vejman taught further comprising:
quarantining a computing device connected to the network that is associated with the encrypted traffic identified as malicious [¶53, quarantine traffic associated with the infected endpoint].
Regarding Claim 3,
Vejman taught further comprising:
generating or supplementing a training dataset based on the connection patterns and classifications of the encrypted Tor traffic as malicious or benign [¶35, the training data may include sample telemetry data that is “normal,” or “malware-generated”].
Regarding Claim 4,
Vejman taught wherein the training dataset includes labels provided from an administrative user for a correctness of the connection patterns and the classifications being identified as malicious or benign by the machine learning model [¶34; ¶35, supervised modeling].
Regarding Claims 8~11, and 15~18, the claims are similar in scope to claims 1~4 and therefore, rejected under the same rationale.
Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Vejman and Anderson in view of Brabec et al. hereinafter Brabec (U.S 2019/0253442).
Regarding Claims 5, 12, and 19,
Vejman-Anderson-Brabec taught further comprising:
retraining the machine learning model via the training dataset [¶47~¶54, model M is retrained/updated with samples from the new malware class].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Brabec’s teaching of limitations with the teachings of Vejman and Anderson, because the combination would allow detection of an anomaly such as an horizontal movement (e.g. propagation of a malware, etc.), or an attempt to perform information exfiltration [Brabec: ¶36].
Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Vejman and Anderson in view of Song et al. hereinafter Song (U.S 10,911,471).
Regarding Claims 6, 13, and 20,
Vejman-Anderson-Song taught wherein the malicious traffic is caused by a zero-day malware operating on a computing device connected to the network (C16: 37~41, ability to detect all types of zero-day attacks and are able to make classifications based on the limited exposed information of encrypted packets].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Song’s teaching of limitations with the teachings of Vejman and Anderson, because the combination would effectively detect evasion patterns for network-based intrusion detection (Song: C1:38~42).
Claims 7 and 14 is rejected under 35 U.S.C. 103 as being unpatentable over Vejman and Anderson in view of Zifroni et al. hereinafter Zifroni (U.S 2022/0191223).
Regarding Claims 7 and 14,
Vejman-Anderson-Zifroni taught wherein the machine learning model classifies the encrypted Tor traffic as benign traffic or malicious traffic using features consisting of: duration features, including at least one of: an average, shortest, or longest duration connection, a number of short duration connections less than 1 minute, and an average duration between each Tor connection; data features, including at least one of: a mean, median, or mode of total data exchanged, a mean, median, or mode of total data sent or received, and a mean, median, or mode of total packets sent or received; port features, including at least one of: a number of unique destination ports used across connections, a most frequent destination port used across Tor connections, a number of non-standard DST ports seen, and a most frequent non-standard DST port; connection features, including at least one of: a number of connections seen (per host or PCAP), a number of failed or rejected attempts, a number of connections per second, and a number of failed attempts per second; and Domain Name Service (DNS) features, including at least one of: a number of DNS queries with rcode_name: REFUSED a number of DNS queries with rcode_name: SERVFAIL a number of uniform resource locators (URLs) seen using "consensus" keyword, a number of URLs with "\tor" keyword, a number of DNS queries rcode_name: NXDOMAINS, a total Number of leaked onion domains, a number of unique onion domains leaked, and a number of 'rejected' onion domain queries [¶66, Fig,. 3, Table 300 ‘Common Features’, ‘Time-Frame Features’, ‘Entropy Features’].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Zifroni’s teaching of limitations with the teachings of Vejman and Anderson, because the combination would prevent malicious activity otherwise caused by malware traffic [Zifroni: ¶2].
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE SOO KIM whose telephone number is (571)270-3229. The examiner can normally be reached M-F 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HEE SOO KIM/Primary Examiner, Art Unit 2443