SYSTEMS AND METHODS FOR NETWORK TRAFFIC FINGERPRINTING AND ASSOCIATED SECURITY ACTIONS

DETAILED ACTION This office action is in response to the correspondence filed on 05/28/2024. Claims 1-11 are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Information Disclosure Statement The information disclosure statement (IDS) was submitted on 04/18/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner except for NPL items 4-5. Examiner was unable to locate those documents cited amongst the Applicant’s submissions either by title or page number. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE et al. (US Pub No. 2018/0324153 A1 per IDS, referred to as ALTHOUSE), in view of Nanda et al. (US Pub No. 2007/0021126 A1 per IDS, referred to as Nanda). Regarding claims 1, 10, and 11, taking claim 1 as exemplary, ALTHOUSE discloses, 1. A method of categorizing computer network communications, comprising: receiving data related to a communication over a computer network; (ALTHOUSE: [0051]; the first step calls for monitoring packet data traffic over a network, step 302 ...Next is detecting (receiving) a client hello packet CHP received from a client seeking to begin a session, step 304.) extracting information from said communication; (ALTHOUSE: [0051]; the process then extracts selected data from the CHP at step 306.) organizing said information into at least one digital component fingerprint, said at least one component fingerprint comprising: (ALTHOUSE: [0051]; at step 308, the method processes the extracted data to form a client ID string. Next, the client ID string is mapped to form a client fingerprint (processing the extracted data).) a text string… wherein at least one of said sections is human-readable; and (ALTHOUSE: [0051]; the mapping of step 310 may apply a hash function to the client TD to form the client fingerprint. In one embodiment, the hash function may return a fingerprint (a string of characters) 32 characters long (a human-readable text string); [0051]; next these strings are hashed, preferably using the MD5 algorithm, to produce the SSL Client Fingerprint. It is 128 bits long or 32 hex characters. 769,47-53-5-10-49161-49162-49171-49172-50-56-19-4,0-10-11,23-24-25,0==ada70206e40642a3e4461f35503241d5) outputting said at least one component fingerprint for analysis. (ALTHOUSE: [0051]; finally, the fingerprint may be logged in a database (outputting the fingerprint).) ALTHOUSE does not explicitly disclose, however Nanda teaches, a text string that is delimited into a plurality of sections, (Nanda: [0046]; note that although each fingerprint in this table is denoted by a vector of length n, there may be less than n non-null components of the vector. That is, several values may be null so that the fingerprint comparison is restricted to the vector components that are not null (components of the vector that make up the fingerprint constitute a text string that is delimited).) It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Nanda into the teachings of ALTHOUSE with a motivation to improving power consumption and battery life for mobile devices by intelligently searching for available wireless LANs and searching efficiency is to adaptively refine the criteria used to determine whether or not a wireless LAN is close by (Nanda: [0008]). Regarding the non-exemplary limitations of claim 11, ALTHOUSE discloses, 11. A computer system, comprising: a communicative connection to a network; (ALTHOUSE: [0017]) a memory for receiving data related to a communication over said network; and (ALTHOUSE: [0017]) a processor for extracting information from said communication and organizing said information into at least one digital component fingerprint, said at least one component fingerprint comprising: (ALTHOUSE: (ALTHOUSE: [0017]) Regarding claim 2, the combination of ALTHOUSE and Nanda discloses, 2. The method of claim 1, ALTHOUSE does not explicitly disclose, however Nanda teaches, further comprising: comparing said component fingerprint against a database of component fingerprints. (Nanda: [0050]; the comparison of a current fingerprint to a stored fingerprint can be performed in a variety of ways without departing from the scope of the present disclosure. [0054]; next the fingerprint for each of these access points is then compared, in block 324, to the current fingerprint to determine if there is a match (the table of fingerprints constitutes a database of fingerprints).) The same motivation that was utilized for combining ALTHOUSE and Nanda as set forth in claim 1 is equally applicable to claim 2. Regarding claim 3, the combination of ALTHOUSE and Nanda discloses, 3. The method of claim 1, ALTHOUSE further discloses, further comprising: initiating a security action based on a characteristic of said component fingerprint. (ALTHOUSE: [0042]; a database such as 210 may be used to generate or maintain a blacklist of clients (identified by fingerprints as described herein) to be denied access to an information system as they present a security risk (denying access constitutes a security action and a fingerprint being on the blacklist constitutes a characteristic of the fingerprint).) Regarding claim 4, the combination of ALTHOUSE and Nanda discloses, 4. The method of claim 1, ALTHOUSE further discloses, wherein said component fingerprint is characterized as one from the list comprising: a Transport Layer Security (TLS) server response/session fingerprint; (ALTHOUSE: [0051]; FIG. 3 shows a simplified flow diagram of an example process for fingerprinting a client based on a Transport Layer Security (TLS) or SSL client hello packet. The first step calls for monitoring packet data traffic over a network, step 302 (fingerprinting based on TLS client constitutes a TLS server response/session fingerprint); a Hypertext Transfer Protocol (HTTP) client fingerprint; a latency measurement distance/location fingerprint; a passive Transmission Control Protocol (TCP) client fingerprint; a passive TCP server response fingerprint; a Secure Shell Protocol (SSH) traffic fingerprint; and an active TCP server fingerprint. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Nanda and further in view of Anderson, et al. "OS fingerprinting: New techniques and a study of information gain and obfuscation." per IDS (hereinafter, "Anderson"). Regarding claim 5, the combination of ALTHOUSE and Nanda discloses, 5. The method of claim 1, The combination of ALTHOUSE and Nanda does not explicitly disclose, further comprising: combining a plurality of component fingerprints related to said communication to create a composite fingerprint. Anderson is in the field of OS fingerprinting (abstract) and teaches further comprising: combining a plurali ty of component fingerprints related to said communication to create a composite fingerprint (ln this work, we consider only passive fingerprinting, which we formalize as the process of assigning one or more categories C from a set of categories C={ c1, c2, ... } to some observed network traffic based on a vector of data features f={ fl, f2, ... } by an assignment function a: F-c*, where F denotes the set of possible feature vectors or fingerprints, pg. 2, col. 1, para 2, [F denoting possible fingerprints constitute a plurality of component fingerprints]; ln contrast to treating each network flow independently, this experiment collects all fingerprints from an endpoint within a 60 minute window, and then classifies that window ...For each fingerprint type, we created a binary feature vector by defining a feature for each unique fingerprint that had at least 100 occurrences in the training dataset, and we set the binary feature to 1 if the associated fingerprint was observed in the window ... We also introduce a fourth model that leverages all available fingerprints by concatenating all three feature vectors; this feature vector had a length of 615, pg. 5, col. 2, paras 2-3, [the binary feature vector for each fingerprint type being concatenated all together constitutes a composite fingerprint]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Nanda with the fingerprinting of Anderson for the purpose of integrating all data types in a multi-session model to identify the major and minor versions of operating systems. This system accumulates data features within a fixed time window, and applies a machine learning classifier to utilize them (sec Anderson pg. 1, col. 2, para 4-pg. 2, col. 1, para 1). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Nanda and further in view of Wu, et al., "My site knows where you are: a novel browser fingerprint to track user position," (hereinafter, "Wu"). Regarding claim 6, the combination of ALTHOUSE and Nanda discloses, 6. The method of claim 1, ALTHOUSE does not explicitly disclose, wherein said at least one component fingerprint is a latency measurement distance/location fingerprint, said method further comprising: using a plurality of said component fingerprints to determine the physical location of a client or a server. Nanda teaches using a plurality of said component fingerprints to determine the physical location of a client or a server (The information may be utilized as a conceptual a fingerprint, or a signature, of a location of the mobile device 102. Thus, if locations within the area 140 have a certain known fingerprint, then the mobile device can determine its current fingerprint and compare it to the known fingerprint to determine whether the mobile device is located within the area 140, para 0037, [the known fingerprints of locations being used to compare against a fingerprint of a mobile device to determine its location constitutes using a plurality of component fingerprints to determine a physical location of a client]). It would have been obvious to one of ordinary skill in the art before the priority date to modify ALTHOUSE with the fingerprint of Nanda for the purpose of improving power consumption and battery life for mobile devices by intelligently searching for available wireless LANs and searching efficiency is to adaptively refine the criteria used to determine whether or not a wireless LAN is close by (see Nanda, para 0008). Wu is in the field of user tracking (abstract) and teaches wherein said at least one component fingerprint is a latency measurement distance/location fingerprint (The physical location fingerprint on the browser utilizes the physical time delay, from the users' browsers to one or more web servers, to extract users' location fingerprint and determine their identity, pt. 1, col. 2, para 3, [the physical time delay constitutes a latency measure, therefore, the physical location fingerprint constitutes a latency measurement location fingerprint]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Nanda with the tracking of Wu for the purpose of utilizing the position information rather than browser information, which has less relevance to users' browsers. As a result, the physical location fingerprint can be more robust to identify the users using more than one browser platform (see Wu, pg. 1, col. 2, para 5). Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Nanda and further in view of China Pat. No. CN 113037746 A per IDS, referred to as ICBC). Regarding claim 7, the combination of ALTHOUSE and Nanda discloses, 7. The method of claim 1, The combination of ALTHOUSE and Nanda does not explicitly disclose, further comprising: analyzing said at least one component fingerprint to determine whether said communication is from a virtual private network (VPN) or a proxy server. ICBC is in the field of fingerprint extraction (abstract) and teaches further comprising: analyzing said at least one component fingerprint to determine whether said communication is from a virtual private network (VPN) or a proxy server (According to the network security detection method provided by the embodiment of the disclosure, the accuracy of user behavior analysis detection of an untrusted user (for example, a hacker accesses a webpage based on a dynamic proxy or a VPN) can be improved by 1.8% by using conventional TLS fingerprint data, para 0115, [using TLS fingerprint data to detect webpage access via VPN constitutes determining a communication is from a VPN]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Nanda with the fingerprint extraction of ICBC for the purpose of providing a client identity recognition method where the dimensionality reduction processing is performed on the feature set of the TLS fingerprint based on the simhash algorithm, the target fingerprint obtained after the dimensionality reduction processing has a high fault tolerance rate, the similarity of the target fingerprint can be compared by calculating the distance (such as the Hamming distance), the same result can be obtained by recognizing the same client request in different scenes based on the target fingerprint, and the accuracy of client identity recognition and the fault tolerance rate in different scenes are improved (see ICBC para 0105). Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Nanda and further in view of Albanese, et al. "A deception based approach for defeating OS and service fingerprinting." (hereinafter, "Albanese"). Regarding claim 8, the combination of ALTHOUSE and Nanda discloses, 8. The method of claim 1, The combination of ALTHOUSE and Nanda does not explicitly disclose, further comprising: based on said at least one component fingerprint, initiating a security action to obscure a device/system from an internet scanner. Albanese is in the field of OS and service fingerprinting (abstract) and teaches further comprising: based on said at least one component fingerprint, initiating a security action to obscure a device/system from an internet scanner (Specifically, we implemented an operating system fingerprint module to modify the responses to the SinFP's probes and a service fingerprint module to modify banner information for specific services, pg. 257, col. 2, para 4; In the second set of experiments, we evaluated our approach from the point of view of an attacker trying to determine the operating system of a remote host or the type of services running on it...we deceived both OS and service fingerprinting by exposing a Windows 7/Vista OS fingerprint and an Apache 2.2.1 service fingerprint. When the deception mechanism is enabled, the OS is misidentified accordingly.. .2) Fingerprinting Tools: Table III reports the results of scans performed with different fingerprinting tools. As one can see, our approach is able to effectively deceive several fingerprinting tools. For instance, we are able to alter the perception of the target system even when the attacker uses either nmap or Xprobc++, which adopt a different probing scheme, pg. 259, col. 2, paras 1-4, f deceiving OS fingerprinting of a Windows 7 Nista OS by exposing a Windows 7/Vista OS fingerprint, this constitutes based on a fingerprint initiating obscuring a device system from an internet scanner since as a result of the deception, the Windows 7 /Vista OS is not detected and thus obscured from scanners such as Nessus, nmap, and Xprobe++ ]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Nanda with the OS and service fingerprinting of Albanese for the purpose of deceiving potential intruders into making incorrect inferences about system characteristics without Fingerprinting Tools: Table III reports the results of scans performed with different fingerprinting tools. As one can see, our approach is able to effectively deceive several fingerprinting tools. For instance, we are able to alter the perception of the target system even when the attacker uses either nmap or Xprobe++, which adopt a different probing scheme (sec Albanese, pg. 253, col. 1, para 3-col. 2, para 1). Regarding claim 9, the combination of ALTHOUSE, Nanda and Albanese discloses, 9. The method of claim 8, The combination of ALTHOUSE and Nanda does not explicitly disclose, wherein said device/system remains visible to other devices/systems having a certain characteristic. Albanese teaches wherein said device/system remains visible to other devices/systems having a certain characteristic (Nessus: In order to test how our approach can deceive an attacker using Nessus, we audited the system with and without the deceptive Kernel Module enabled. Table II shows the results of the respective Nessus scans. The original system is a fully patched Ubuntu 12.04 server and has no known vulnerabilities. When no deception is used, the system is correctly identified, and all the information derived by Nessus is accurate. Next, we deceived both OS and service fingerprinting by exposing a Windows 7/Vista OS fingerprint and an Apache 2.2.1 service fingerprint. When the deception mechanism is enabled, the OS is misidentified accordingly. Moreover, deceiving service fingerprinting leads to false shows that for a general purpose computer running Windows Vista and using the deceptive Kernel, for low or critical risk, i.e., certain characteristics, Windows Vista is visible, but is deceived for other levels or risk]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Nanda with the OS and service fingerprinting of Albanese for the purpose of deceiving potential intruders into making incorrect inferences about system characteristics without Fingerprinting Tools: Table III reports the results of scans performed with different fingerprinting tools. As one can see, our approach is able to effectively deceive several fingerprinting tools. For instance, we are able to alter the perception of the target system even when the attacker uses either nmap or Xprobe++, which adopt a different probing scheme (see Albanese, pg. 253, col. 1, para 3-col. 2, para 1). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569. The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KA SHAN CHOY/Primary Examiner, Art Unit 2435