DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This is a reply to the amendment filed on 03/04/2026, in which, claim(s) 1, 3-11 and 13-20 are pending. Claim(s) 1 and 11 are amended. Claim(s) 2 and 12 are cancelled. No claim(s) are newly added.
Response to Arguments
Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s arguments with respect to the rejection of claim(s) 1, 3-11 and 13-20 have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1, 3-9 and 11, 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over Jia et al. (US 2024/0039893 A1) in view of John R. Rice (US 2006/0101047 A1) further in view of Xiao et al. (US 2021/0194853 A1) and further in view of Ruobin Zhang (US 2010/0132031 A1).
Regarding Claims 1 and 11, Jia discloses
capturing a plurality of first program features of an application program ([0027], “captured network traffic activity and associated meta information, such as… application identification”);
capturing a plurality of first communication features of a data packet ([0027], “captured network traffic activity and associated meta information, such as IP addresses”);
analyzing the first communication features of the data packet which is filtered to generate a plurality of second communication features ([0018], “a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection”);
establishing a candidate rule according to the first program features and the first communication features ([0046], “policies 252 are received… Policies can include one or more rules, which can be specified using domain and/or host/server names, and rules can apply one or more signatures or other matching criteria or heuristics, such as for security policy enforcement for subscriber/IP flows based on various extracted parameters/information from monitored session traffic flows”);
filtering the candidate rule to generate an allow-list according to a confidence region ([0071], “Malicious/benign results 426 are used to update block lists and allow lists (e.g., based on destination IP and/or URL information) as shown at 428”, [0073-0074], “the above-described statistics analysis can be performed every 24 hours (e.g., or some other (periodic) time interval) based on the 3-tuple, timestamps, and request payload length to calculate a beacon score (e.g., a score range of 0 to 1, which corresponds to a beacon probability between 0% and 100%, in which a threshold of, for example, 0.9 can be used to identify given traffic as beacon traffic)”, “The risk evaluation system automatically determines a risk level (as confidence region) for each beacon based on the threat intelligence module integration”); and
executing a security control according to the allow-list ([0071], “An action can then be performed using the block lists and/or allow lists as shown at 430 (e.g., updated block lists and allow lists can be sent to firewalls of subscribing customers for filtering network traffic in their enterprise networks, such as data appliance 102 for enterprise network 140 as shown in FIG. 1)”).
Jia does not explicitly teach but Rice teaches
analyzing the first program features to generate a plurality of second program features ([0044], “The guards systematically and continually check the program's code and each other to see if any changes have been made”, [0189], “Execution frequency check every 0.5 seconds by 130-139”);
Jia and Rice are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rice with the disclosure of Jia. The motivation/suggestion would have been to protect the integrity and usage of software systems and associated devices (Rice, [0002]).
The combined teaching of Jia and Rice does not explicitly teach but Xiao teaches
filtering the data packet according to a communication operation of the data packet, when the communication operation of the data packet is a broadcast operation or a forward operation the data packet is filtered out and the first communication features are not analyzed ([0087], “the smart proxy can also perform various traffic filtering during this stage of operations (e.g., …drop broadcast or multicast traffic”, therefore the communication features are not analyzed),
Jia, Rice and Xiao are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xiao with the combined teaching of Jia and Rice. The motivation/suggestion would have been to provide an automated security management.
The combined teaching of Jia, Rice and Xiao does not explicitly teach but Zhang teaches
a broadcast operation or a forward operation which is irrelevant to a role of an endpoint device ([0077], “The type filtering unit 405 is adapted to: forward the packet corresponding to the flow type irrelevant to DPI to the device… send the packet corresponding to the flow type” i.e. which is irrelevant to the role of an endpoint device),
Jia, Rice, Xiao and Zhang are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang with the combined teaching of Jia, Rice and Xiao. The motivation/suggestion would have been for filtering packets to reduce the packet traffic (Zhang, [0006]).
Regarding Claims 3 and 13, the combined teaching of Jia, Rice, Xiao and Zhang teaches
wherein the allow-list comprises a program allow-list and a communication allow-list (Jia, [0056], “security platform 122 makes (update) available results of its analysis of samples via a list of (program) signatures (and/or other identifiers, such as, for example, allow and block lists”, [0071], “to update block lists and allow lists (e.g., based on destination IP and/or URL information) as shown at 428), and the security managing method further comprises:
selectively establishing the candidate rule according to the second program features and the second communication features (Jia, [0018], “the state of a connection can itself be one of the criteria that triggers a rule within a policy”, Rice, [0189], “Execution frequency check every 0.5 seconds by 130-139”);
updating the program allow-list according to the first program features and/or the second program features (Jia, [0056], “security platform 122 makes (update) available results of its analysis of samples via a list of signatures (and/or other identifiers, such as, for example, allow and block lists”); and
updating the communication allow-list according to the first communication features and/or the second communication features (Jia, [0071], “to update block lists and allow lists (e.g., based on destination IP and/or URL information) as shown at 428”).
Regarding Claims 4 and 14, the combined teaching of Jia, Rice, Xiao and Zhang teaches
applying the program allow-list and the communication allow-list to a program firewall mechanism and a communication firewall mechanism of a host device respectively (Jia, [0016-0017], “A basic packet filtering firewall filters network communication traffic by inspecting individual packets transmitted over a network”, “Application layer filtering firewalls or application firewalls can generally identify certain applications and protocols (e.g., web browsing using HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols, such as Telnet, DHCP, TCP, UDP, and TFTP (GSS))”, [0019], “Advanced or next generation firewalls can perform stateless and stateful packet filtering and application layer filtering as discussed above”, therefore, the allow list can apply to a host respectively, [0071], “allow lists”).
Regarding Claims 5 and 15, the combined teaching of Jia, Rice, Xiao and Zhang teaches
determining whether an under-test application program complies with the program allow-list; and determining whether an under-test data packet complies with the communication allow-list (Jia, [0052], “data appliance 102 can be configured to provide the file (e.g., malware 130) and/or packet captures (pcap files) of monitored network traffic activities (e.g., sessions of network traffic activities, which may include beacon related network traffic activities) to security platform 122 for static/dynamic analysis and/or the disclosed automated analysis using the disclosed techniques for beacon and threat intelligence based APT detection, to determine whether it is malicious and/or to otherwise classify it”, i.e., if comply with allow list).
Regarding Claims 6 and 16, the combined teaching of Jia, Rice, Xiao and Zhang teaches
wherein in a blocking mode, when the under-test application program does not comply with the program allow-list, or when the under-test data packet does not comply with the communication allow-list, the step of performing the security control comprises: stopping the under-test application program by the program firewall mechanism; or blocking the under-test data packet by the communication firewall mechanism (Jia, [0071], “Malicious/benign results 426 are used to update block lists and allow lists (e.g., based on destination IP and/or URL information) as shown at 428”, [0101], “blocking access to the destination IP address… blocking/dropping the network traffic associated with the detected malicious beacon/APT related traffic activity and/or associated with that destination IP address”, i.e. not comply with the allow-list).
Regarding Claims 7 and 17, the combined teaching of Jia, Rice, Xiao and Zhang teaches
wherein in a monitoring mode, when the under-test application program does not comply with the program allow-list, or when the under-test data packet does not comply with the communication allow-list, the step of performing the security control comprises issuing a warning (Jia, [0071], “Malicious/benign results 426 are used to update block lists and allow lists (e.g., based on destination IP and/or URL information) as shown at 428”, [0098], “a firewall can monitor network traffic”, [0101], “At 608, an action is performed in response to detecting the malicious beacon traffic.”, “alerting an endpoint user and/or a network/security administrator”).
Regarding Claims 8 and 18, the combined teaching of Jia, Rice, Xiao and Zhang teaches
wherein the first program features at least comprise a program name and a program check code, and the second program features comprise an execution frequency or an interval of starting (Rice, [0044], “The guards systematically and continually check the program's code and each other to see if any changes have been made”, [0080], “A program has a name”, [0189], “Execution frequency check every 0.5 seconds by 130-139”).
Regarding Claims 9 and 19, the combined teaching of Jia, Rice, Xiao and Zhang teaches
wherein the first communication features at least comprise an Internet Protocol (IP) source address and an IP destination address, and the second communication features comprise a connecting number for communication or a change of unit traffic (Jia, [0016], “a packet's source and destination address information”, [0018], “a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection”).
Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jia et al. (US 2024/0039893 A1) in view of John R. Rice (US 2006/0101047 A1) further in view of Xiao et al. (US 2021/0194853 A1) and further in view of Ruobin Zhang (US 2010/0132031 A1) and further in view of Schwartz et al. (US 2024/0348649 A1).
Regarding Claims 10 and 20, the combined teaching of Jia, Rice, Xiao and Zhang does not explicitly teach but Schwartz teaches
performing a pre-data-process on the first program features, the second program features, the first communication features and the second communication features to generate a training data set; and using the training data set to train a computational model to establish the candidate rule; wherein, the pre-data-process at least comprises an encoding process or a classifying and labeling process ([0088], “At least one of the one or more rule generation policies may define a set of features and respective labels in the plurality of data sets characterizing prior intrusive activities that are to be used to train the machine learning model. Each of the respective labels may indicate presence or absence of intrusive activity in one or more corresponding features of the set of features (e.g., as depicted in FIG. 4B). At block 606, applying the one or more rule generation policies to the plurality of data sets characterizing prior intrusive activities may comprise training the machine learning model using training data comprising the set of features representing training inputs and the respective labels representing target outputs for the training inputs.”),
Jia, Rice, Xiao, Zhang and Schwartz are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rice with the combined teaching of Jia, Rice, Xiao and Zhang. The motivation/suggestion would have been to providing automatic rule generation and data-driven detection engineering (Schwartz, [0001]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497