IDENTIFYING TYPES OF ENTITIES COMMUNICATING OVER A NETWORK

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION The instant application having Application No. 18/428,798 is presented for examination by the examiner. Claims 1, 3, 15, 16, 19 and 20 are amended. Claims 1-20 have been examined. Response to Arguments Applicant’s arguments with respect to claim(s) 1, 15 and 19 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-10 and 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Modalavalasa (US 10,708,281 B1), in view of Grajek (US20180124039A1). Regarding Claim 1 Modalavalasa discloses: A method comprising: determining, at a server disposed in a content delivery network (CDN) and from one or more messages transmitted by an entity over the CDN, signature information and behavior information corresponding to the entity (Modalavalasa Column 5, Lines 4-19: teaches that an edge server within a CDN receives and processes messages transmitted by a client device, including (1) HTTP(S) requests containing header information such as user-agent strings and (2) JavaScript fingerprint submissions sent asynchronously by the client. These inputs collectively provide both signature information (user-agent) and behavior information (interaction patterns). The edge server then determines the signatures and behavior information corresponding to the entity by extracting and analyzing these inputs for the purpose of bot detection and classification.), determining a type of the entity at least in part by analyzing the signature information and behavior information corresponding to the entity (Modalavalasa Column 5, Lines 4-19; Column 7, Lines 12-43: teaches that the edge server evaluates signature and behavior information collected from the client, such as user-agent and JavaScript execution behavior, using a bot detection engine. This engine applies anomaly detection rules and evaluates both primitive and compound feature sets to determine whether the entity is a bot or a legitimate user, thereby determining the type of entity based on the signature and behavior information.); and outputting the type of the entity (Modalavalasa Column 5, Lines 4-19; Column 7, Lines 12-43: teaches after analyzing the fingerprint and behavioral data of a client, the edge server classifies the client as a bot or not based on a rule-based evaluation engine. The result of this classification is stored in a session cookie and is then used in subsequent request to determine access behavior or enforcement action.). Modalavalasa teaches that an edge server in a CDN collects and analyzes client-side signature and behavior information using rule-based and anomaly detection technique to classify the client as a bot or a legitimate user, with the results stored in a session cookie for access control decisions. Modalavalasa is silent in explicitly teaching that the signature information is gathered during authentication of the entity, as required by the amended claim. Instead, Modalavalasa describes collecting fingerprint information via client-side execution and subsequently validating the fingerprint at a later stage. On the other hand, Grajek teaches gathering signature information during an authentication process. Specifically, Grajek discloses that, in response to an authentication request, an authentication system sends capture instructions to a user device, which collects device characteristics (e.g., browser attributes, HTTP headers, device identifiers) and transmits the collected information back to the authentication system for use in authentication (¶0027, ¶0066–0069). Modalavalasa already teaches determining and using fingerprint-based information for identifying an entity within a network environment. Grajek teaches that such fingerprint information can be collected dynamically during the authentication process. Thus, Modalavalasa could have been modified with the teachings of Grajek to gather the signature information during authentication, rather than prior to authentication, with the same expectation of improved security and real time verification. The claim is obvious because one of ordinary skill in the art would have been motivated to collect signature information during authentication in order to ensure that authentication decisions are based on current device characteristics, thereby improving reliability and security of entity identification. Regarding Claim 2 Modalavalasa discloses: The method of claim 1, wherein the server comprises an intermediary server included in a CDN point of presence (POP) that caches content available at one or more origin servers that is to be provided by the intermediary server of the CDN POP to one or more clients (Modalavalasa Column 2, Line 46 – Column 3, Line 13 and Column 3, Line 56 – Column 4, Line 13: discloses that the CDN system comprises edge servers distributed across the internet, and that these edge servers functions as intermediaries that cache content from origin servers and server it to clients. The edge servers reside in CDN points of presence and perform content delivery.). Regarding Claim 3 Modalavalasa teaches that an edge server in a CDN collects and analyzes client-side signature and behavior information using rule-based and anomaly detection technique to classify the client as a bot or a legitimate user, with the results stored in a session cookie for access control decisions. Modalavalasa is silent in explicitly teaching that the signature information is gathered during authentication of the entity. Instead, Modalavalasa describes collecting fingerprint information via client-side execution and subsequently validating the fingerprint at a later stage. On the other hand, Grajek teaches gathering signature information during an authentication process. Specifically, Grajek discloses that, in response to an authentication request, an authentication system sends capture instructions to a user device, which collects device characteristics (e.g., browser attributes, HTTP headers, device identifiers) and transmits the collected information back to the authentication system for use in authentication (¶0027, ¶0066–0069). Modalavalasa already teaches determining and using fingerprint-based information for identifying an entity within a network environment. Grajek teaches that such fingerprint information can be collected dynamically during the authentication process. Thus, Modalavalasa could have been modified with the teachings of Grajek to gather the signature information during authentication, rather than prior to authentication, with the same expectation of improved security and real time verification. The claim is obvious because one of ordinary skill in the art would have been motivated to collect signature information during authentication in order to ensure that authentication decisions are based on current device characteristics, thereby improving reliability and security of entity identification. Regarding Claim 4 Modalavalasa discloses: The method of claim 3, wherein the fingerprint-based features of the entity comprise at least one of: user-agent (UA) information for the entity; JA3 fingerprinting information for the entity; cipher suite information for the entity; or security protocol information proposed by the entity (Modalavalasa Column 8, Lines 14-30; Column 19, Lines 31-35: discloses that the fingerprint-based features include user-agent strings, TLS fingerprinting, cipher suites and proposed security protocols. These are extracted from headers and TLS handshakes during initial client interaction and used as part of the fingerprint for classification.). Regarding Claim 5 Modalavalasa discloses: The method of claim 1, wherein determining the signature information comprises determining a proposed set of security protocols that the entity has proposed for securing of communications of the entity (Modalavalasa Column 4, Lines 30-43; Column 4, Lines 52 – Column 5, Line 19; Column 9, Lines 31-35: teaches that TLS fingerprints and cipher suite preferences are extracted from client handshake data used as part of the signature information. These include the security protocols the client proposes for securing communication.). Regarding Claim 6 Modalavalasa discloses: The method of claim 5, wherein: determining the behavior information corresponding to the entity comprises determining a behavior exhibited by the entity in the one or more messages (Modalavalasa Column 5, Lines 4-19: discloses determining behavior exhibited in client messages by analyzing request patterns, anomaly score and fingerprint return timing. These behaviors are derived directly from the messages transmitted by the entity and used to assess whether it is a bot or a legitimate client.); and determining the type of the entity comprises analyzing the behavior exhibited by the entity (Modalavalasa Column 5, Lines 4-19: teaches determining whether a client is a bot (its type) by analyzing behavioral traits such as fingerprint anomalies and response patterns. These behaviors are used to classify the entity as a bot or legitimate user.). Regarding Claim 7 Modalavalasa discloses: The method of claim 5, wherein: determining the type of the entity comprises determining, based at least in part on analyzing the proposed set of security protocols, whether the entity communicating over the CDN is a nonhuman entity (Modalavalasa Column 5, Lines 31-41; Column 10, Line 59 – Column 11, Line 4: teaches determining whether an entity is a bot (nonhuman) by analyzing TLS fingerprint data, which includes the set of security protocols proposed by the client. This data is evaluated against known valid configuration, and deviations indicate bot activity, thus determining the entity type.); and outputting the type of the entity comprises outputting an indication of whether the entity has been determined to be a nonhuman entity (Modalavalasa Column 7, Lines 12-43: teaches outputting a classification results, specifically whether a client has been identified as a bot, by setting a session cookie state to indicate whether the entity is a bot, validated or incomplete.). Regarding Claim 8 Modalavalasa discloses: The method of claim 1, wherein determining at least one of the signature information or the behavior information comprises analyzing log data corresponding to communications transmitted by the entity over the CDN (Modalavalasa Column 9, Lines 51-67: teaches that CDN edge servers generate and collect log data from client communications, and that this log data is mined to determine fingerprint and behavioral information for the purpose of bot detection and entity classification.). Regarding Claim 9 Modalavalasa discloses: The method of claim 1, wherein analyzing the signature information and behavior information comprises extracting one or more features from the one or more messages transmitted by the entity over the CDN, the one or more features comprising at least one of: a Reverse Domain Name System (rDNS) result; an Autonomous System Number (ASN) Mapping; a Forward DNS result; one or more Web Application Firewall (WAF) Alerts; or one or more bot alerts (Modalavalasa Column 6, Lines 4-16; Column 7, Lines 12-43: teaches that clients interacting with CDN edge servers are fingerprinted and classified as bots based on anomaly scoring. When a client is identified as a bot this classification is recorded, and the sessions is flagged accordingly. This system tracks and logs activity from these bots and generates reports.). Regarding Claim 10 Modalavalasa discloses: The method of claim 9, wherein determining the type of the entity further comprises applying a predetermined set of rules to the one or more features to generate an entity classification (Modalavalasa Column 5, Line 52- Column 6, Line 16: teaches applying a predetermined set of rules to extracted fingerprint features in order to classify the entity as a bot or human.). Regarding Claim 15 Claim 15 is directed to a system corresponding to the computing platform recited in claim 1. Claim 15 is similar in scope to claim 1 and is therefore rejected under similar rationale. Regarding Claim 16 Claim 16 is directed to a system corresponding to the computing platform recited in claim 3. Claim 16 is similar in scope to claim 3 and is therefore rejected under similar rationale. Regarding Claim 17 Claim 17 is directed to a system corresponding to the computing platform recited in claim 5. Claim 17 is similar in scope to claim 5 and is therefore rejected under similar rationale. Regarding Claim 18 Claim 18 is directed to a system corresponding to the computing platform recited in claim 6. Claim 18 is similar in scope to claim 6 and is therefore rejected under similar rationale. Regarding Claim 19 Claim 19 is directed to an executable instruction corresponding to the computing platform recited in claim 1. Claim 19 is similar in scope to claim 1 and is therefore rejected under similar rationale. Regarding Claim 20 Claim 20 is directed to an executable instruction corresponding to the computing platform recited in claim 5. Claim 20 is similar in scope to claim 5 and is therefore rejected under similar rationale. Claims 11-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Modalavalasa (US 10,708,281 B1), in view of Grajek (US20180124039A1) as applied to claim 1 above, and in further view of Srinivasagopalan (US 2023/0412622 A1). Regarding Claim 11 Modalavalasa in view of Grajek teaches that an edge server in a CDN collects and analyzes client-side signature and behavior information using rule-based and anomaly detection technique to classify the client as a bot or a legitimate user, with the results stored in a session cookie for access control decisions. However, they do not disclose the following limitation “determining, from the one or more messages transmitted by the entity over the CDN, Internet Protocol (IP) domain information corresponding to the entity; and determining whether the entity communicating over the CDN is a legitimate known entity by at least in part matching the IP domain information corresponding to the entity; and outputting the type of the entity comprises outputting whether the entity is the legitimate known entity.” However, in an analogous art, Srinivasagopalan discloses a CDN system/method that includes: The method of claim 1, wherein: the method further comprises: determining, from the one or more messages transmitted by the entity over the CDN, Internet Protocol (IP) domain information corresponding to the entity (Srinivasagopalan ¶12 and 54: teaches analyzing network flow traffic to extract IP and domain information associated with entities communication over the network. These disclosures show that domain and IP information are derived from network messages sent over to the CDN.); and determining whether the entity communicating over the CDN is a legitimate known entity by at least in part matching the IP domain information corresponding to the entity (Srinivasagopalan ¶27 and 33: teaches determining whether an entity is legitimate by matching its IP/domain information against known threat intelligence repositories or classifications. This matching process allows the system to classify whether an entity is legitimate known type or suspicious on based on IP/domain data.) ; and outputting the type of the entity comprises outputting whether the entity is the legitimate known entity (Srinivasagopalan ¶39-40: teaches outputting a determination of whether an entity is malicious or benign based on IP/domain analysis, which inherently includes outputting whether it is a legitimate known entity. This output reflects whether the entity is considered legitimate or not based on the classification results.). Given the teachings of Srinivasagopalan, a person having ordinary skill in the art would have found it obvious to modify the teaching of Modalavalasa in view of Grajek to implement a system that determines IP domain information corresponding to the entity, matches that IP information against known classification to determine whether the entity is a legitimate known entity, and output the classification type accordingly. Srinivasagopalan teaches analyzing network flow traffic to extract IP and domain information with entities and using that information to determine whether an entity is legitimate by matching it against threat intelligence repositories. The system then outputs a classification result indicating whether the entity is malicious or benign. It would have been obvious to one of ordinary skill in the art (POSTIA) to use such IP/domain-based matching and classification to identify and report legitimate entities for improved visibility and threat assessment in a CDN, as such classification mechanism are standard in entity reputation and threat intelligence system (Srinivasagopalan ¶39-40). Regarding Claim 12 Modalavalasa in view of Grajek teaches that an edge server in a CDN collects and analyzes client-side signature and behavior information using rule-based and anomaly detection technique to classify the client as a bot or a legitimate user, with the results stored in a session cookie for access control decisions. However, they do not disclose the following limitation “wherein determining the type of the entity comprises determining whether the entity communicating over the CDN is a malicious nonhuman entity at least in part by using at least one trained machine learning model that leverages the signature information and behavior information corresponding to the entity to generate an entity classification prediction; and outputting the type of the entity further comprises outputting an indication of whether the entity is a malicious nonhuman entity.” However, in an analogous art, Srinivasagopalan discloses a CDN system/method that includes: The method of claim 1, wherein determining the type of the entity comprises determining whether the entity communicating over the CDN is a malicious nonhuman entity at least in part by using at least one trained machine learning model that leverages the signature information and behavior information corresponding to the entity to generate an entity classification prediction (Srinivasagopalan ¶27-29: teaches determine whether an entity (ip address) is malicious using trained machine learning modules that process signature and behavior-based attributes to generate a classification prediction.); and outputting the type of the entity further comprises outputting an indication of whether the entity is a malicious nonhuman entity (Srinivasagopalan ¶40: teaches outputting an indication that an entity (IP address) is malicious by transmitting notification to communication device or edge servers.). Given the teachings of Srinivasagopalan, a person having ordinary skill in the art would have found it obvious to modify the teaching of Modalavalasa in view of Grajek to determine whether an entity communicating over a CSN is malicious entity by using a train ML model that process signature and behavior information. Srinivasagopalan teaches that ML models use DNS and other behavior-based activities to classify if an entity is malicious. The system then outputs this classification and transmits an indication of the results to edge servers. Applying this to CDN traffic would have been routine as it aligns with conventual security practices (Srinivasagopalan ¶40). Regarding Claim 13 Modalavalasa in view of Grajek teaches that an edge server in a CDN collects and analyzes client-side signature and behavior information using rule-based and anomaly detection technique to classify the client as a bot or a legitimate user, with the results stored in a session cookie for access control decisions. However, they do not disclose the following limitation “wherein determining whether the entity communicating over the CDN is a malicious nonhuman entity at least in part by using the at least one trained machine learning model that leverages the signature information and behavior information corresponding to the entity to generate the entity classification prediction comprises processing extracted features via the at least one trained machine learning model trained to generate the entity classification prediction.” However, in an analogous art, Srinivasagopalan discloses a CDN system/method that includes: The method of claim 12, wherein determining whether the entity communicating over the CDN is a malicious nonhuman entity at least in part by using the at least one trained machine learning model that leverages the signature information and behavior information corresponding to the entity to generate the entity classification prediction comprises processing extracted features via the at least one trained machine learning model trained to generate the entity classification prediction (Srinivasagopalan ¶27-29: teaches extracting features from network entities and processing them using trained ML models to classify whether an IP address is possibly malicious). Given the teachings of Srinivasagopalan, a person having ordinary skill in the art would have found it obvious to modify the teaching of Modalavalasa in view of Grajek to determine to determine whether an entity communicating over a CSN is malicious by extracting signatures and behavior-based features and processing them using a training ML model to generate a classification prediction. The claimed approached merely recites the conventional application of ML-based classification using extracted network features, which would have been a routine implementation of known technique (Srinivasagopalan ¶27-29). Regarding Claim 14 Modalavalasa in view of Grajek teaches that an edge server in a CDN collects and analyzes client-side signature and behavior information using rule-based and anomaly detection technique to classify the client as a bot or a legitimate user, with the results stored in a session cookie for access control decisions. However, they do not disclose the following limitation “the entity classification prediction comprises a classification of the entity with a confidence value; and outputting the type of the entity further comprises outputting the confidence value.” However, in an analogous art, Srinivasagopalan discloses a CDN system/method that includes: The method of claim 13, wherein: the entity classification prediction comprises a classification of the entity with a confidence value (Srinivasagopalan ¶39: teaches generating a malicious score, a form of confidence value, that ranks how likely an IP address is malicious based on the outputs of multiple analyses and models. This malicious score function as a confidence value used to support the classification decision.); and outputting the type of the entity further comprises outputting the confidence value (Srinivasagopalan ¶39: Teaches outputting a malicious score that reflects a confidence value indicating the likelihood that an IP address is malicious, which is then used to determine whether the entity should be flagged for further evaluation.). Given the teachings of Srinivasagopalan, a person having ordinary skill in the art would have found it obvious to modify the teaching of Modalavalasa in view of Grajek to implement an entity classification system that includes outputting both a classification of an entity and a corresponding confidence value. Srinivasagopalan teaches generating a malicious score which reflects a confidence value indicating the likelihood that an IP address is malicious. This score is based on the outputs of multiple analyses and ML models and is explicitly used to support and justify the classification decision. Srinivasagopalan further teaches that this malicious score is output alongside the classification results to inform whether the entity should be flagged for further evaluation. It would have been obvious to a POSTIA to treat this malicious score as a confidence value and out it together with the classification result as doing so improves transparency and trust in automated security systems (Srinivasagopalan ¶39). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Senecal US 11,818,149 B2– teaches a CDN protected by a bot detection service which uses distinct cookies to manage client identification and data collection. The edge server uses the cookies to validate the session and queries the detection service for a threat score based on the collected data to determine whether to forward the client’s request. Pignataro US 2017/0288988 A1 - teaches a method where an edge device reserves separate resource pools to apply anomaly detection rules received from both a supervisory node and peer nodes in the network. The device can validate and apply peer-provided rules, detect anomalies, perform associated actions and share rules with peers upon detecting suspicious behavior enabling collaborative and hierarchical anomaly detection. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD A ABDULLAH whose telephone number is (571) 272-1531. The examiner can normally be reached on Monday - Friday, 8:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431 /SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431