Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-25 are pending.
Response to Arguments
The Title has been amended in accordance with the applicant’s remarks and the objection has been withdrawn.
Applicant's arguments filed 12/17/2025 with respect to the previously applied prior art rejections have been fully considered but they are not persuasive.
The applicant argues with respect to 103 rejection of claim 1 that the combination of Salajegheh and Ibatullin fails to disclose or suggest identifying a first portion of a data transmission transmitted via the network that is indicative of an anomaly and identifying a second portion of the data transmission comprising personal data, the second portion different from the first portion, and modifying the data transmission to generate a modified data transmission. Particularly, the applicant contends the references do not disclose the first portion and the second portion are different and portions of the same data transmission
The examiner disagrees. Firstly, Salajegheh, particularly, discloses:
identifying a first portion of a data transmission transmitted via the network that is indicative of an anomaly ([0075]-[0077] discloses what data is monitored and further [0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.” discloses identifying anomalies);
identifying a second portion of the data transmission comprising personal data, the second portion different from the first portion ([0088]-[0090], particularly, “The anonymizer module 310 may be configured to perform behavior vector anonymization operations, which may include performing, executing, and/or applying data, algorithms, classifiers, or models (collectively referred to as “anonymizer classifier models”) to the identified behavior vectors to remove any device information that might be personal to users or user-identifying (e.g. machine addresses, user data, location data, etc.). Each anonymizer classifier model may be a behavior model like the standard classifier model and include data and/or information structures (e.g., feature vectors, behavior vectors, component lists, etc.) that may be used by a smart device processor to evaluate a which specific features or aspects of a smart device behavior could be personal or user-identifying.”).
That is, Salajegheh discloses, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors.” Note, this is after receiving data, i.e. the claimed “data transmission.” [0038] spells this out more clearly from the sender’s perspective rather than the receiver’s (i.e. the “transmission” which seems to be the applicant’s fixation) in reciting, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization.”
Returning to the operation of the smart device processor, it is clear data needing anonymizing is identified and anonymized with such data reading on the claimed, “a second portion of the data transmission comprising personal data.” [0040] of Salajegheh spells this out explicitly, “These behavior vectors may be ‘scrubbed’ the processor executing the anonymizer module to remove any user-identifying information, leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.” Therefore, it is clear that the remaining, un-scrubbed data reads on the first portion of the data transmission and is identified at the same time. Again, [0040] spells this out explicitly in reciting, “leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.” Clearly, this “necessary information…such as error behavior” among the other un-scrubbed data at least reads on “a first portion of a data transmission transmitted via the network that is indicative of an anomaly,” and the anonymized data (“any user-identifying information”), again, reads on “a second portion of the data transmission comprising personal data.”
Secondly, with regard to the applicant’s assertion the combination Salajegheh and Ibatullin fails to disclose modifying to generate a modified data transmission as claimed, it is self-evident given the above citations and explanations that Salajegheh suggests this argued limitation, given that in Salajegheh anonymizing includes, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization…These behavior vectors may be ‘scrubbed’ the processor executing the anonymizer module to remove any user-identifying information, leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.”
Lastly, Salajegheh further discloses, emphasis added by examiner, sending the modified data transmission to a remote system ([0101] and [0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.”) to further illustrate the flaws and weakness of the applicant’s above positions with the examiner noting, again, the anonymized data transmitted from the smart device is the claimed “modified data transmission” and it was previously received un-anonymized from other devices (again, the claimed “data transmission,” is this un-anonymized data received by the smart device which is what the applicant contends Salajegheh lacks, and that contention is clearly inaccurate given Salajegheh’s disclosure).
The applicant further alleges it would not have been obvious to combine Salajegheh and Ibatullin as suggested in stating, "to provide a means to inform a greater number of interested
entities if there is a bad actor [in] a computer network". Specifically, the applicant asserts it is not sufficient to meet the burden required to establish or support a prima facie conclusion of obviousness since the examiner does not identify what the "means" are, or why it would be helpful for a greater number of interested entities to be informed of a bad actor in a computer network when both references relate to centralized systems and methods for protecting computer networks, and has further not explained how or why security would be increased by a greater number of interested entities being so informed.
The examiner disagrees and notes, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).
In this case, the examiner relied upon the knowledge generally available to one of ordinary skill in the art. With regard to the specific allegations by the applicant, in stating, “Therefore to would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Salajegheh and Ibatullin in order to provide a means to inform a greater number of interested entities if there is a bad actor is [in] a computer network, thereby increasing security,” it should be clear the “means” references Ibatullin’s teaching when combined with Salajeghen and the examiner does not follow the applicant’s other allegation. That is, it is self-evident that if a system provides a means (i.e. Ibatullin’s) to send and provide information to a greater number of entities for identification of malicious behavior such a system will have a greater number of entities being aware there are bad actors in a computer network as well as a better chance of finding them and such a means combined with another system would increase/improve security.
The applicant separately argues with respect to dependent claims 8, 13, and 14 that the combination of Salajegheh and Ibatullin do not disclose the recited limitations.
The examiner disagrees:
With regard to claim 8, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the data transmission comprises a packet, the first portion of the data transmission comprises a first field of the packet and the second portion of the data transmission comprises a second field of the packet, different from the first field (Salajegheh, Fig. 6, [0075]-[0077]; such transmissions are in packet based network, see [0127]).
With regard to claim 13, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the data transmission comprises a plurality of portions, comprising the first portion and the second portion, each of the plurality of portions associated with a respective weight, and processing the data transmission using the machine learning system comprises processing each of the plurality of portions using the respective weight (Salajegheh, Fig. 6, [0099], “The weight associated with a decision node 448 may be computed based on information collected from previous observations or analysis of smart device behaviors, software applications, or processes in the smart device.”).
With regard to claim 14, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose identifying the first portion of the data transmission based further on an access policy associated with the remote system (Salajegheh, Fig. 6, [0075]-[0077], particularly, “The behavior observer module 302 may monitor/observe conditions or events pertaining to user verification, such as the entry of a password, etc. Application level observations may include observing the user via facial recognition software, observing social streams, observing notes entered by the user, observing events pertaining to the use of financial applications such as PassBook, Google® wallet, and Paypal, observing a software application's access and use of protected information, etc. Application level observations may also include observing events relating to the use of virtual private networks (VPNs) and events pertaining to synchronization, voice searches, voice control (e.g., lock/unlock a phone by saying one word), language translators, the offloading of data for computations, video streaming, camera usage without user activity, microphone usage without user activity, etc.”; that is the user information anonymized in [0088]-[0090] would necessarily be linked to “an access policy” given the breadth of the applications and systems used and Ibatullin, [0071]-[0073]).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 5-16, and 21-25 are rejected under 35 U.S.C. 103 as being unpatentable over unpatentable over Salajegheh et al (US Pub. No. 2016/0277435), hereafter, “Salajegheh,” in view of Ibatullin et al (US Pub. No. 2017/0063922), hereafter, “Ibatullin.”
As to claim 1, Salajegheh discloses a method comprising, at a processor-controlled device of a network (Fig. 3):
identifying a first portion of a data transmission transmitted via the network that is indicative of an anomaly ([0075]-[0077] discloses what data is monitored and further [0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.” discloses identifying anomalies; see also, [0038]-[0040], particularly, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization…These behavior vectors may be ‘scrubbed’ the processor executing the anonymizer module to remove any user-identifying information, leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.”);
identifying a second portion of the data transmission comprising personal data, the second portion different from the first portion ([0088]-[0090], particularly, “The anonymizer module 310 may be configured to perform behavior vector anonymization operations, which may include performing, executing, and/or applying data, algorithms, classifiers, or models (collectively referred to as “anonymizer classifier models”) to the identified behavior vectors to remove any device information that might be personal to users or user-identifying (e.g. machine addresses, user data, location data, etc.). Each anonymizer classifier model may be a behavior model like the standard classifier model and include data and/or information structures (e.g., feature vectors, behavior vectors, component lists, etc.) that may be used by a smart device processor to evaluate a which specific features or aspects of a smart device behavior could be personal or user-identifying.”; see also, [0038]-[0040], particularly, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization…These behavior vectors may be ‘scrubbed’ the processor executing the anonymizer module to remove any user-identifying information, leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.”);
modifying the data transmission to generate a modified data transmission, modifying the data transmission comprising selectively anonymizing one or more portions of the data transmission such that at least the second portion of the data transmission is anonymized ([0088]-[0090], particularly, “The anonymizer module 310 may be configured to perform behavior vector anonymization operations, which may include performing, executing, and/or applying data, algorithms, classifiers, or models (collectively referred to as “anonymizer classifier models”) to the identified behavior vectors to remove any device information that might be personal to users or user-identifying (e.g. machine addresses, user data, location data, etc.). Each anonymizer classifier model may be a behavior model like the standard classifier model and include data and/or information structures (e.g., feature vectors, behavior vectors, component lists, etc.) that may be used by a smart device processor to evaluate a which specific features or aspects of a smart device behavior could be personal or user-identifying.”);
and sending the modified data transmission to a remote system ([0101] and [0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.”)
However, Salajegheh does not explicitly disclose sending the modified data transmission to a remote system for identification of whether the first portion of the data transmission is indicative of malicious behavior. Rather, the remote server receives the data for further analysis.
But, Ibatullin discloses sending a modified data transmission to a remote system for identification of whether the first portion of the data transmission is indicative of malicious behavior ([0071]-[0073], particularly, “Computing device 10 receives the response and sends the data points and associated values to security device 20 without requiring a user of computing device 10 to perform any additional actions. Security device 20 receives the device information (114) and profile generation module 46 generates a device profile for computing device 10 (116). Security device 20 sends the generated profile to security service servers 24 (118). Security service servers 24 receive the device profile information (120)…Classifier module 80 classifies computing device 10 as a malicious device or not as a malicious device (e.g., a benign device) based on the maliciousness rating (124). In some examples, classifier module 80 compares the generated maliciousness rating to a threshold value and classifies computing device 10 based on whether or not the maliciousness rating satisfies the threshold value. Security service server 24 sends the device classification information to security device 20 (126)”).
Therefore to would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Salajegheh and Ibatullin in order to provide a means to inform a greater number of interested entities if there is a bad actor in a computer network, thereby increasing security.
As to claim 15, Salajegheh discloses a computer-implemented method comprising:
receiving, from a processor-controlled device of a network, a received data transmission associated with a data transmission transmitted via the network ([0075]-[0077], particularly, “The behavior observer module 302 may monitor/observe transmissions or communications of the smart device, including communications that include voicemail (VoiceMailComm), device identifiers (DeviceIDComm), user account information (UserAccountComm), calendar information (CalendarComm), location information (LocationComm), recorded audio information (RecordAudioComm), accelerometer information (AccelerometerComm), etc.” with this data being then sent in [0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.” see also, [0038], particularly, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization”), the received data transmission comprising:
data derived from a first portion of the data transmission ([0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.” Note not all the data is anonymized, see [0090], particularly “The anonymizer module 310 may be configured to perform behavior vector anonymization operations, which may include performing, executing, and/or applying data, algorithms, classifiers, or models (collectively referred to as “anonymizer classifier models”) to the identified behavior vectors to remove any device information that might be personal to users or user-identifying (e.g. machine addresses, user data, location data, etc.).” That is, the behavior vectors not including “information that might be personal to users or user-identifying” reads on “a first portion of the data transmission”; see also, [0038]-[0040], particularly, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization…These behavior vectors may be ‘scrubbed’ the processor executing the anonymizer module to remove any user-identifying information, leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.”),
an anonymized second portion of the data transmission, wherein the received data transmission is indicative that the data derived from the first portion of the data transmission is for use in identifying malicious behavior ([0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.” Note not all the data is anonymized, see [0090], particularly “The anonymizer module 310 may be configured to perform behavior vector anonymization operations, which may include performing, executing, and/or applying data, algorithms, classifiers, or models (collectively referred to as “anonymizer classifier models”) to the identified behavior vectors to remove any device information that might be personal to users or user-identifying (e.g. machine addresses, user data, location data, etc.).” That is, the behavior vectors including “information that might be personal to users or user-identifying” reads on “a second portion of the data transmission”; see also, [0038]-[0040], particularly, “Observer devices may transmit behavior data received from other devices, as well as their own collected behavior information, to the primary smart device(s) for analysis and anonymization…These behavior vectors may be ‘scrubbed’ the processor executing the anonymizer module to remove any user-identifying information, leaving only necessary information in the behavior vector, such as device make, model, error behavior, and date of error.”);
processing the data derived from the first portion of the data transmission to identify that the first portion of the data transmission is indicative of malicious behavior ([0101] and [0107], particularly, “In an aspect, as part of the operations in blocks 502-518 of the method 500, the smart device processor may perform real-time behavior analysis of the system's behaviors to identify anomalous behaviors from limited and coarse observations, analyze observed behaviors for anomalous behaviors, anonymize the behavior information of any detected anomalous behaviors, and transmit the anonymized behaviors to a remote server for aggregation and further analysis.”).
However, Salajegeh does not explicitly disclose sending, to the processor-controlled device, an indication that the first portion of the data transmission is indicative of the malicious behavior. Specifically, while Salajegeh discloses the smart device sending portions of the data transmissions to the remote server for further analysis, it does not explicitly disclose the smart device receiving an indication that the data transmission is malicious.
But, Ibatullin discloses receiving, from a processor-controlled device of a network, a received data transmission associated with a data transmission transmitted via the network ([0071]-[0073], particularly, “Computing device 10 receives the response and sends the data points and associated values to security device 20 without requiring a user of computing device 10 to perform any additional actions. Security device 20 receives the device information (114) and profile generation module 46 generates a device profile for computing device 10 (116). Security device 20 sends the generated profile to security service servers 24 (118). Security service servers 24 receive the device profile information (120).” “security device 20” reading on “a processor-controlled device”) and
sending, to a processor-controlled device, an indication that a first portion of a data transmission is indicative of the malicious behavior ([0071]-[0073], particularly, “Classifier module 80 classifies computing device 10 as a malicious device or not as a malicious device (e.g., a benign device) based on the maliciousness rating (124). In some examples, classifier module 80 compares the generated maliciousness rating to a threshold value and classifies computing device 10 based on whether or not the maliciousness rating satisfies the threshold value. Security service server 24 sends the device classification information to security device 20 (126)”).
Therefore to would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Salajegheh and Ibatullin in order to provide a means to inform a greater number of interested entities if there is a bad actor in a computer network, thereby increasing security.
As to claim 22, it is rejected by a similar rationale to that set forth in claim 1’s rejection.
As to claim 24, it is rejected by a similar rationale to that set forth in claim 15’s rejection.
As to claims 21 and 25, they are rejected by a similar rationale to that set forth in claim 1 and 15’s rejection.
As to claim 5, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the first portion of the data transmission comprises further personal data (Salajegheh, [0090], particularly “The anonymizer module 310 may be configured to perform behavior vector anonymization operations, which may include performing, executing, and/or applying data, algorithms, classifiers, or models (collectively referred to as “anonymizer classifier models”) to the identified behavior vectors to remove any device information that might be personal to users or user-identifying (e.g. machine addresses, user data, location data, etc.).”).
As to claim 6, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the data transmission is transmitted via the network to or from a user device of the network (Salajegheh, [0075]-[0077]).
As to claim 7, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the processor-controlled device is a gateway of the network (Salajegheh, Fig. 2 and Ibatullin, Fig. 1).
As to claim 8, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the data transmission comprises a packet, the first portion of the data transmission comprises a first field of the packet and the second portion of the data transmission comprises a second field of the packet, different from the first field (Salajegheh, [0075]-[0077]).
As to claim 9, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose after sending the modified data transmission to the remote system, receiving, from the remote system, an indication that a determination has been made that the data transmission is indicative of malicious behavior (Ibatullin, [0071]-[0073], particularly, “Classifier module 80 classifies computing device 10 as a malicious device or not as a malicious device (e.g., a benign device) based on the maliciousness rating (124). In some examples, classifier module 80 compares the generated maliciousness rating to a threshold value and classifies computing device 10 based on whether or not the maliciousness rating satisfies the threshold value. Security service server 24 sends the device classification information to security device 20 (126)”).
As to claim 10, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose identifying the first portion of the data transmission comprises processing the data transmission using a machine learning system implemented by the processor-controlled device (Salajegheh, [0039]).
As to claim 11, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose identifying the first portion of the data transmission comprises processing the data transmission, and traffic data indicative of network traffic activity associated with a plurality of data transmissions transmitted via the network, using the machine learning system (Salajegheh, [0039] and [0075]-[0077]).
As to claim 12, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the machine learning system is configured to determine, upon processing the data transmission, a type of anomaly present in the data transmission, and identifying the first portion of the data transmission comprises identifying that the first portion of the data transmission is relevant to the type of anomaly (Salajegheh, [0101]).
As to claim 13, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose the data transmission comprises a plurality of portions, comprising the first portion and the second portion, each of the plurality of portions associated with a respective weight, and processing the data transmission using the machine learning system comprises processing each of the plurality of portions using the respective weight (Salajegheh, [0099]).
As to claim 14, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose identifying the first portion of the data transmission based further on an access policy associated with the remote system (Salajegheh, [0075]-[0077] and Ibatullin, [0071]-[0073]).
As to claim 16, the teachings of Salajegheh and Ibatullin as combined for the same reasons set forth in claim 1’s rejection further disclose a format of the data derived from the first portion of the data transmission is indicative that the data derived from the first portion of the data transmission is for use in identifying malicious behavior (Salajegheh, [0101] and Ibatullin, [0071]-[0073]).
Claims 2-4 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over unpatentable over Salajegheh and Ibatullin in further view of Ahuja et al (US Pub. No. 2019/0207954), hereafter, “Ahuja”
As to claim 2, the teachings of Salajegheh and Ibatullin disclose the parent claim but do not disclose modifying the data transmission comprises selectively encrypting one or more portions of the data transmission such that at least the first portion of the data transmission is encrypted. However, Ahuja discloses comprises selectively encrypting one or more portions of a data transmission such that at least the first portion of the data transmission is encrypted ( [0080]-[0082], particularly, “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet.”)
Therefore to would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Salajegheh and Ibatullin with Ahuja in order to provide a means to prevent eavesdropping when transmitting across a network.
As to claim 3, the teachings of Salajegheh, Ibatullin, and Ahuja as combined for the same reasons set forth in claim 2’s rejection further disclose identifying a third portion of the data transmission, different from the first portion and the second portion of the data transmission, wherein the first portion of the data transmission is encrypted using a first encryption protocol, and the third portion of the data transmission is encrypted using a second encryption protocol, different from the first encryption protocol (Ahuja, [0080]-[0082], particularly, “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet... At block 1006, protocol extrapolation processor 820 determines a protocol identification. Examples of protocol identifications include, but are not limited to: file transfer, peer-to-peer, SSL, SSH, etc.”).
As to claim 4, the teachings of Salajegheh, Ibatullin, and Ahuja as combined for the same reasons set forth in claim 2’s rejection further disclose the first portion of the data transmission is encrypted using attribute-based encryption (Ahuja, [0080]-[0082], particularly, “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet...At block 1006, protocol extrapolation processor 820 determines a protocol identification. Examples of protocol identifications include, but are not limited to: file transfer, peer-to-peer, SSL, SSH, etc.”).
As to claim 17, the teachings of Salajegheh and Ibatullin disclose the parent claim but does not disclose the data derived from the first portion of the data transmission is an encrypted version of the first portion of the data transmission, encrypted using a predetermined encryption protocol, and the data derived from the first portion of the data transmission is identified as being for use in identifying malicious behavior based on identifying that the first portion of the data transmission is encrypted using the predetermined encryption protocol.
However, Ahuja discloses the data derived from a first portion of a data transmission is an encrypted version of the first portion of the data transmission, encrypted using a predetermined encryption protocol, and a data derived from the first portion of the data transmission is identified as being for use in identifying malicious behavior based on identifying that the first portion of the data transmission is encrypted using the predetermined encryption protocol ([0080]-[0082], particularly “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet... At block 1006, protocol extrapolation processor 820 determines a protocol identification. Examples of protocol identifications include, but are not limited to: file transfer, peer-to-peer, SSL, SSH, etc.”)
Therefore to would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Salajegheh and Ibatullin with Ahuja in order to provide a means to prevent eavesdropping when transmitting across a network.
As to claim 18, the teachings of Salajegheh, Ibatullin, and Ahuja as combined for the same reasons set forth in claim 17’s rejection further disclose the predetermined encryption protocol is attribute-based encryption (Ahuja, [0080]-[0082], particularly “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet... At block 1006, protocol extrapolation processor 820 determines a protocol identification. Examples of protocol identifications include, but are not limited to: file transfer, peer-to-peer, SSL, SSH, etc.”).
As to claim 19, the teachings of Salajegheh, Ibatullin, and Ahuja as combined for the same reasons set forth in claim 17’s rejection further disclose processing the data derived from the first portion of the data transmission comprises decrypting the encrypted version of the first portion of the data transmission to generate a decrypted version of the first portion of the data transmission, and processing the decrypted version of the first portion of the data transmission to identify that the first portion of the data transmission is indicative of the malicious behavior (Ahuja, [0080]-[0082], particularly “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet... At block 1006, protocol extrapolation processor 820 determines a protocol identification. Examples of protocol identifications include, but are not limited to: file transfer, peer-to-peer, SSL, SSH, etc.”).
As to claim 20, the teachings of Salajegheh, Ibatullin, and Ahuja as combined for the same reasons set forth in claim 17’s rejection further disclose the received data transmission comprises a third portion encrypted using a further encryption protocol different from the predetermined encryption protocol(Ahuja, [0080]-[0082], particularly “Initiation of data traffic may be identified based on detecting the establishment of a connection, an initial flow of bytes, the first packet transmitted for a period of time, etc. At block 1004, protocol extrapolation processor 820 determines a classification type for the encryption protocol used for the data packet... At block 1006, protocol extrapolation processor 820 determines a protocol identification. Examples of protocol identifications include, but are not limited to: file transfer, peer-to-peer, SSL, SSH, etc.”).
Conclusion
THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THOMAS J DAILEY/ Primary Examiner, Art Unit 2458