DETAILED ACTION
1. This office action is in response to the communication filed on 01/25/2024.
2. Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
3. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
4. Claim(s) 1, 14, and 20 is/are objected to because of the following informalities:
In the first paragraph, the limitation “MAC” needed to be spelled out.
Appropriate correction(s) is/are required.
Allowable Subject Matter
5. Claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
6. The following is a statement of reasons for the indication of allowable subject matter:
The present invention is directed toward a method to detecting and/or mitigating Media Access Control address spoofing in computer networks. Claim 12 identifies the uniquely distinct features for monitoring network traffic to generate device fingerprint data, the device fingerprint data including a plurality of records, each record associated with one of a plurality of devices in the one or more networks and including a respective MAC address and a set of one or more characteristics associated with a respective device; determining whether two or more devices are utilizing a common MAC address based at least on the device fingerprint data; and performing a predetermined action dependent on the determining whether two or more devices are utilizing the common MAC address; wherein determining whether two or more devices are utilizing a common MAC address involves generating a confidence score indicative of a confidence that the common MAC address is being used by two or more devices, and wherein performing the predetermined action is dependent on the confidence score exceeding a threshold confidence score; monitoring network traffic to determine MAC address usage statistics including at least one of: an indication of times at which MAC addresses have been used in the one or more networks; and an indication of which of the one or more networks the MAC addresses are used in, wherein generating the confidence score is dependent on the device fingerprint data and the MAC address usage statistics; wherein if the MAC address usage statistics indicate that two devices associated with the common MAC address in the device fingerprint data are located in the same network the confidence score will represent a higher confidence than if the MAC address usage statistics indicate that the two devices associated with the common MAC address in the device fingerprint data are not located in the same network; taken in combination with the remaining limitations of the independent claim are not found in and/or are not obvious in view of the closest recorded prior arts.
One of the closest prior arts, Butti et al. (US 2008/0250498 A1), discloses a method for detecting address spoofing in a wireless network. The other closest prior art, Fainberg et al. (US 2020/0213352 A1), discloses a method for detecting media access control (MAC) address spoofing. However, either singularly or in combination, Butti et al. and/or Fainberg et al. do/does not disclose the above uniquely distinct features taken in combination with the remaining limitations of the independent claim(s).
Therefore, claim 12 is in condition for allowance.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
7. Claim(s) 1-3, 5-7, 10-11, 14-16, 18, and 20 is/are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Butti et al. (US 2008/0250498 A1, hereafter Butti).
Regarding claim(s) 1, 14, and 20:
Butti discloses a network management device configured to control one or more networks, the network management device comprising a processor and storage, the storage comprising executable instructions which, when executed by the processor, cause the network device to (see fig. 1):
monitor network traffic to generate device fingerprint data, the device fingerprint data including a plurality of records, each record associated with one of a plurality of devices in the one or more networks and including a respective MAC address and a set of one or more characteristics associated with a respective device (see para. 12 and/or 36 where radio/wireless communication channels (i.e., network traffic) are listened to retrieve frames/packets exchanged in network, wherein frame data (i.e., device fingerprint data) associated with the frames are stored/recorded in a table (i.e., records comprising frame data are generated to be stored in a table), wherein each stored frame data includes a MAC address and a timestamp (i.e., characteristic) associated with a frame sent from an access point (i.e., device));
determine whether two or more devices are utilizing a common MAC address based at least on the device fingerprint data; and perform a predetermined action dependent on the determining whether two or more devices are utilizing the common MAC address (see paras. 33, 36-37 where two recorded frame data communicated from two access points are determined to have the same MAC address, wherein an alarm is generated and/or the frames are deleted).
Regarding claim(s) 2 and 15:
Butti discloses:
wherein monitoring network traffic to generate the device fingerprint data includes deriving the MAC address and set of characteristics associated with a said device of the plurality of devices from one or more messages received from said device (see paras. 11-13, and/or 33, 40), and
wherein the method includes at least one of:
performing passive scans of devices attached to the one or more networks to obtain messages from said devices, wherein a passive scan involves receiving communications transmitted between two or more devices in the one or more networks; or performing active scans of the devices attached to the one or more networks to obtain messages from said devices, wherein an active scan involves: transmitting a message to a said device in the one or more networks to trigger a response; and receiving the response from the said device in the one or more networks (see paras. 12 and/or 36).
Regarding claim(s) 3 and 16:
Butti discloses:
wherein if it is determined that two or more devices are utilizing the common MAC address, the predetermined action includes at least one of: preventing at least one device that is utilizing the common MAC address from communicating with other devices in the one or more networks; preventing all devices that are utilizing the common MAC address from communicating with other devices in the network; or generating an alert signal representative of an outcome of the determining whether the common MAC address is utilized by two or more devices (see paras. 12, 37, and/or 59).
Regarding claim(s) 5:
Butti discloses:
monitoring network traffic to determine MAC address usage statistics including at least one of: an indication of times at which MAC addresses have been used in the one or more networks; or an indication of which network the MAC addresses are used in, wherein determining whether two or more devices are utilizing the common MAC address is additionally based on the MAC address usage statistics (see paras. 33 and/or 57).
Regarding claim(s) 6:
Butti discloses:
wherein determining whether two or more devices are utilizing the common MAC address is based on:
a determination that two records in the device fingerprint data are associated with the common MAC address (see paras. 33, 36-37); and
at least one of: a determination that the common MAC address has been used substantially concurrently by two or more devices based on the MAC address usage statistics; or a determination that the two devices associated with the common MAC address in the device fingerprint data are located in the same network based on the MAC address usage statistics (see para. 33 where two access points communicate using the same MAC address at the same time (i.e., substantially concurrently)).
Regarding claim(s) 7 and 18:
Butti discloses:
wherein determining whether two or more devices are utilizing a common MAC address involves generating a confidence score indicative of a confidence that the common MAC address is being used by two or more devices, and wherein performing the predetermined action is dependent on the confidence score exceeding a threshold confidence score (see paras. 31, 42-44 where an illegitimate access point spoofs an MAC address of a legitimate access point to communicate frame(s) having same MAC address with the legitimate access point, wherein the difference between the two timestamp is computed, and wherein an illegitimate access point is detected when the value of the difference is greater than a threshold).
Regarding claim(s) 10:
Butti discloses:
monitoring network traffic to determine MAC address usage statistics including at least one of: an indication of times at which MAC addresses have been used in the one or more networks; and an indication of which of the one or more networks the MAC addresses are used in, wherein generating the confidence score is dependent on the device fingerprint data and the MAC address usage statistics (see paras. 31-33, 42-44).
Regarding claim(s) 11:
Butti discloses:
wherein if the MAC address usage statistics indicate that the common MAC address has been used substantially concurrently by two devices associated with the common MAC address in the device fingerprint data the confidence score will represent a higher confidence than if the MAC address usage statistics indicate that the common MAC address has not been used substantially concurrently by the two devices associated with the common MAC address in the device fingerprint data (see paras. 33, 38).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
8. Claim(s) 4 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butti in view of Fainberg et al. (US 2020/0213352 A1, hereafter Fainberg).
Regarding claim(s) 4 and 17:
Butti discloses:
wherein the one or more networks each include at least one network device configured to connect the devices in the one or more networks (see fig. 1 and paras. 12, 50).
Butti does not, but Fainberg discloses:
wherein preventing devices utilizing the common MAC address from communicating with other devices in the one or more networks comprises instructing the at least one network device to: restrict communications that are received from devices utilizing the common MAC address; and restrict communications that are directed to devices utilizing the common MAC address (see Fainberg, paras. 25, 34 where devices that are spoofing MAC address(es) to utilize the same MAC address(es) with other device(s) on a network for communication are identified; see paras. 23, 26 where communication using the same MAC address is blocked; see paras. 37, 54 where traffic/communication via a port is restricted or blocked; see paras. 92-93 where a port is a source port or a destination port).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Butti's invention by enhancing it for preventing devices utilizing the common MAC address from communicating with other devices in the one or more networks comprises instructing the at least one network device to: restrict communications that are received from devices utilizing the common MAC address; and restrict communications that are directed to devices utilizing the common MAC address, as taught by Fainberg, in order for restricting traffic or communication on a port where a device that is spoofing a MAC address is communicatively coupled (Fainberg, para. 37).
9. Claim(s) 8, 9, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butti in view of Yadav et al. (US 2016/0359897 A1, hereafter Yadav).
Regarding claim(s) 8 and 19:
Butti does not, but Yadav discloses:
wherein each record in the device fingerprint data includes a respective fingerprint confidence score indicative of a confidence in the set of characteristics included in the respective record, and wherein the confidence score is dependent on the fingerprint confidence scores associated with the two or more devices (see Yadav, paras. 31, 48, 51-52, where network traffic/flows (i.e., records) are stored in network storage, wherein each traffic/flow includes a MAC address, characteristics, and a reputation score associated with the characteristics including characteristic of spoof MAC address; see para. 65 where a reputation score includes a confidence score, wherein a reputation score is calculated based on the reputation scores of nodes/entities (i.e., devices)).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Butti's invention by enhancing it for each record in the device fingerprint data includes a respective fingerprint confidence score indicative of a confidence in the set of characteristics included in the respective record, and wherein the confidence score is dependent on the fingerprint confidence scores associated with the two or more devices, as taught by Yadav, in order for determining the reputation score associated with the one or more nodes based on the type of traffic for the one or more flows associated with the one or more nodes (Yadav, para. 55).
Regarding claim(s) 9:
Butti does not, but Yadav discloses:
wherein the fingerprint confidence score for a said record is determined based on at least one of the following: an amount of data received in messages from the said device that are used to derive the respective set of characteristics; a number of messages used to derive the respective set of characteristics; whether the respective set of characteristics are inferred from the messages or explicitly signaled in the messages; and the type of messages received from the device (see Yadav, paras. 51, 55).
10. Claim(s) 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butti in view of Fainberg et al. (US 2021/0099473 A1, hereafter Fainberg).
Regarding claim(s) 13:
Butti does not, but Fainberg discloses:
wherein the sets of characteristics represented in the device fingerprint data each include at least one of: a device type; an operating system; an indication of software running on the device; a device model; an identification number associated with the device; or an indication of services provided by the device (see Fainberg, paras. 20-21, where properties (i.e., characteristics) from network traffic associated with a MAC address are monitored and stored, wherein properties include operating system (OS) data, DHCP device class, network function, connection type (e.g., wired or wireless), etc.).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Butti's invention by enhancing it for the sets of characteristics represented in the device fingerprint data each include at least one of: a device type; an operating system; an indication of software running on the device; a device model; an identification number associated with the device; or an indication of services provided by the device, as taught by Fainberg, in order for determining an anomaly based on properties associated with an entity (Fainberg, abstract).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Xue et al. (US 2024/0397475 A1), SYSTEMS AND METHODS FOR CROSS-LAYER DEVICE FINGERPRINTING.
Nandha Premnath et al. (US 2018/0295519 A1), Detecting Media Access Control (MAC) Address Spoofing in a Wi-Fi Network Using Channel Correlation.
Duffau et al. (US 2008/0263660 A1), Method, Device and Program for Detection of Address Spoofing in a Wireless Network.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA, can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HUAN V DOAN/Primary Examiner, Art Unit 2499