DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to applicant’s RCE amendment filed, 21 October 2025, of application filed, with the above serial number, on 24 June 2024 in which claims 21, 26, 31, 33-34 have been amended. Claims 21-40 are pending in the application.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 33-34 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The claims each recite the computing system transmitting commands before receiving the response. However, claim 31 from which they depend recites that the commands are transmitted with “the response as a basis” and after the connection is established. Thus, it is indefinite how the response is the basis for whether to transmit commands when the commands are transmitted before even receiving the response. It is further not clear if the commands are sent before receiving the response yet still after the connection is established as the two time periods would seem to overlap.
Claim 22, 28, 39 recites the limitation "an application" in line 2. It is not clear if an application in exemplary claim 22 is different from an application in claim 21.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 21-25, 29-32, 35-40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bloch et al (hereinafter “Bloch”, 2011/0078309) in view of Brinskelle (hereinafter “Brinskelle”, 2019/0354709).
As per Claim 21, Bloch discloses a method for preventing exchange of communication with malicious servers, the method comprising:
generating a connection request initiated by an application to establish a connection with a connection endpoint at an Internet Protocol (IP) address (at least paragraph 70-72, fig. 4a, 6a; proxy appliance (w/traffic monitor) receiving client request to server IP address);
in a log service on the computing system (at least paragraph 97; traffic monitor 508 can allow for logging):
after generating the connection request, transmitting a reverse Domain Name System (DNS) request to a DNS security service, wherein the reverse DNS request identifies the IP address (at least paragraph 81, 84-85, 154; traffic monitor can perform reverse domain name service (DNS) lookup; to determine the domain name associated with an IP address, a reverse DNS lookup can be used to find the domain name); and
in response to receiving a response from the DNS security service indicating the IP address is malicious, transmitting commands for resetting the connection to the connection endpoint (at least paragraph 152, 169-173, 191, 206, 69; firewall action…generate a reset packet in response to matching the address; traffic monitor can send TCP resets to known bad IP addresses; bad or malicious domain).
Bloch fails to explicitly disclose in a computing system…[the connection request] initiated by an application executing on the computing system. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Brinskelle. Brinskelle discloses, in an analogous art, a security agent 105 acting as a proxy can be deployed in line with a connection between a client 100 and intended server, and also 100 and 105 being local to each other and operating on the same computer system and further the security agent spoofing TCP resets when detecting malicious activity (at least Brinskelle paragraph 146, 149-152, 163-164, 633-641). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Brinskelle’s security agent being client side with Bloch as Brinskelle teaches a security agent client side can improve security for the user or client application such as a web browser and help resolve active network man in the middle attacks (at least paragraph 158-161), as well as placement on where the security agent being a well known design choice, so long as the agent is located between the application on the client and the server, the application is secure and Bloch teaches in par. 61 that the proxy appliance can be deployed in any number of modes.
As per Claim 22. The method of claim 21, wherein the IP address is programmed into an application executing on the computing system (at least paragraph 151; known bad IP address of traffic monitor application; at least Brinskelle paragraph 146, 149-152, 163-164, 633-641 web browser of client 100).
As per Claim 23. The method of claim 21, comprising: transmitting the reverse DNS request in response to determining the IP address was not obtained by the computing system using a DNS request (at least paragraph 81-84; request includes IP address not domain name, proxy performs reverse DNS).
As per Claim 24. The method of claim 21, comprising:
initiating a second connection to a second connection endpoint at a second IP address (at least paragraph 70-72, fig. 4a, 6a; proxy appliance (w/traffic monitor) receiving client request to server IP address); in the log service: transmitting a second reverse DNS request to the DNS security service, wherein the second reverse DNS request identifies the second IP address (at least paragraph 81, 84-85, 154; traffic monitor can perform reverse domain name service (DNS) lookup; to determine the domain name associated with an IP address, a reverse DNS lookup can be used to find the domain name); and in response to receiving a second response from the DNS security service indicating the second IP address is not malicious, refraining from transmitting second commands for resetting the second connection (at least paragraph 104, 72; rules or policies allow firewall 604 to block or allow traffic on specified ports based on specified IP addresses, if IP address on whitelist).
Bloch fails to explicitly disclose in the computing system…initiating a second connection. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Brinskelle. Brinskelle discloses, in an analogous art, a security agent 105 acting as a proxy can be deployed in line with a connection between a client 100 and intended server, and also 100 and 105 being local to each other and operating on the same computer system and further the security agent spoofing TCP resets when detecting malicious activity (at least Brinskelle paragraph 146, 149-152, 163-164, 633-641). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Brinskelle’s security agent being client side with Bloch as Brinskelle teaches a security agent client side can improve security for the user or client application such as a web browser and help resolve active network man in the middle attacks (at least paragraph 158-161), as well as placement on where the security agent being a well known design choice, so long as the agent is located between the application on the client and the server, the application is secure and Bloch teaches in par. 61 that the proxy appliance can be deployed in any number of modes.
As per Claim 25. The method of claim 21, wherein the log service executes as part of an operating system of the computing system (at least paragraph 67).
As per Claim 29. The method of claim 21, comprising:
transmitting the reverse DNS request in response to determining the IP address was not obtained by the computing system using a DNS request (at least paragraph 81-84; request includes IP address not domain name, proxy performs reverse DNS).
As per Claim 30. The method of claim 21, comprising:
initiating a second connection to a second connection endpoint at a second IP address (at least paragraph 70-72, fig. 4a, 6a; proxy appliance (w/traffic monitor) receiving client request to server IP address); in the log service: transmitting a second reverse Domain Name System (DNS) request to the DNS security service, wherein the second reverse DNS request identifies the second IP address (at least paragraph 81, 84-85, 154; traffic monitor can perform reverse domain name service (DNS) lookup; to determine the domain name associated with an IP address, a reverse DNS lookup can be used to find the domain name); starting transmission of second commands for resetting the second connection to the second connection endpoint (at least paragraph 152, 169-173, 191, 206; send resets); and in response to receiving a second response from the DNS security service indicating the second IP address is malicious, continuing the transmission of the second commands (at least paragraph 152, 169-173, 191, 206; send resets to known bad IP addresses).
Bloch fails to explicitly disclose in the computing system…initiating a second connection. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Brinskelle. Brinskelle discloses, in an analogous art, a security agent 105 acting as a proxy can be deployed in line with a connection between a client 100 and intended server, and also 100 and 105 being local to each other and operating on the same computer system and further the security agent spoofing TCP resets when detecting malicious activity (at least Brinskelle paragraph 146, 149-152, 163-164, 633-641). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Brinskelle’s security agent being client side with Bloch as Brinskelle teaches a security agent client side can improve security for the user or client application such as a web browser and help resolve active network man in the middle attacks (at least paragraph 158-161), as well as placement on where the security agent being a well known design choice, so long as the agent is located between the application on the client and the server, the application is secure and Bloch teaches in par. 61 that the proxy appliance can be deployed in any number of modes.
As per Claim 31, Bloch discloses an apparatus for preventing exchange of communication with malicious servers, the apparatus comprising:
one or more computer readable storage media; a processing system operatively coupled with the one or more computer readable storage media; and program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the apparatus to:
receive a reverse Domain Name System (DNS) request from a computing system, wherein the reverse DNS request identifies an Internet Protocol (IP) address of a connection endpoint with which the computing system initiated a connection (at least paragraph 81, 84-85, 154, 69; traffic monitor can perform reverse domain name service (DNS) lookup; to determine the domain name associated with an IP address, a reverse DNS lookup can be used to find the domain name;);
determine whether the IP address is malicious (at least paragraph 69; Based on whether the domains are considered to be bad, malicious, or otherwise undesirable, the IPFW rule manager provide or update rules for a firewall using the IP addresses based on the list for those undesirable domains so that traffic to those domains can be blocked, redirected, or otherwise acted upon); and
transmit a response indicating whether the IP address is malicious to the computing system, wherein the computing system uses the response as a basis for determining whether to transmit commands for resetting the connection to the connection endpoint (at least paragraph 152, 169-173, 191, 206, 69; firewall action…generate a reset packet in response to matching the address; traffic monitor can send TCP resets to known bad IP addresses).
Bloch fails to explicitly disclose the connection request is initiated by an application executing on the computing system. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Brinskelle. Brinskelle discloses, in an analogous art, a security agent 105 acting as a proxy can be deployed in line with a connection between a client 100 and intended server, and also 100 and 105 being local to each other and operating on the same computer system and further the security agent spoofing TCP resets when detecting malicious activity (at least Brinskelle paragraph 146, 149-152, 163-164, 633-641). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Brinskelle’s security agent being client side with Bloch as Brinskelle teaches a security agent client side can improve security for the user or client application such as a web browser and help resolve active network man in the middle attacks (at least paragraph 158-161), as well as placement on where the security agent being a well known design choice, so long as the agent is located between the application on the client and the server, the application is secure and Bloch teaches in par. 61 that the proxy appliance can be deployed in any number of modes.
As per Claim 32. The apparatus of claim 31, wherein the computing system transmits the commands to the connection endpoint when the response indicates the IP address is malicious (at least paragraph 152, 169-173, 191, 206, 69; firewall action…generate a reset packet in response to matching the address; traffic monitor can send TCP resets to known bad IP addresses; bad or malicious domain).
As per Claim 35. The apparatus of claim 31, wherein to determine whether the IP address is malicious, the program instructions direct the apparatus to: determine one or more attributes associated with the IP address; and determine whether the one or more attributes satisfy criteria to consider the connection endpoint malicious, wherein the IP address is malicious when the connection endpoint is determined to be malicious (at least paragraph 69-73; domains are considered malicious and IP address being on blacklist).
As per Claim 36. The apparatus of claim 35, wherein the one or more attributes include one or more of an attribute group comprising: a name server associated with the IP address; and a Uniform Resource Locator (URL) associated with the IP address (at least paragraph 73; If the IP addresses are not found in the whitelists, then control transfers to step 420 and step 422 in which checks are made against an administrator blacklist and whitelist based on domain or URL).
As per Claim 37. The apparatus of claim 35, wherein the criteria include one or more of a criteria group comprising: one or more whitelists; one or more blacklists; and a change in an attribute over time (at least paragraph 73; If the IP addresses are not found in the whitelists, then control transfers to step 420 and step 422 in which checks are made against an administrator blacklist and whitelist based on domain or URL).
As per Claim 38. The apparatus of claim 31, wherein a firewall directs the reverse DNS request from the computing system to the apparatus (at least paragraph 96; traffic to that domain is to be redirected to a different domain, the firewall rule manager 704 creates and communicates a rule to the firewall so that traffic to the IP address is redirected to the different domain).
As per Claim 39. The apparatus of claim 31, wherein the IP address is programmed into an application executing on the computing system (at least paragraph 151; known bad IP address of traffic monitor application; at least Brinskelle paragraph 146, 149-152, 163-164, 633-641 web browser of client 100).
As per Claim 40. The apparatus of claim 31, wherein the computing system transmits the reverse DNS request in response to determining the IP address was not obtained by the computing system using a DNS request (at least paragraph 81-84; request includes IP address not domain name, proxy performs reverse DNS).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 26-28, 33-34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bloch in view of Brinskelle, further in view of Nussbaum et al (hereinafter “Nussbaum”, 2024/0419771).
As per Claim 26, Bloch discloses a method for preventing exchange of communication with malicious servers, the method comprising:
generating a connection request to establish a connection with a connection endpoint at an Internet Protocol (IP) address (at least paragraph 70-72, fig. 4a, 6a; proxy appliance (w/traffic monitor) receiving client request to server IP address);
in a log service on the computing system:
transmitting a reverse Domain Name System (DNS) request to a DNS security service, wherein the reverse DNS request identifies the IP address (at least paragraph 81, 84-85, 154; traffic monitor can perform reverse domain name service (DNS) lookup; to determine the domain name associated with an IP address, a reverse DNS lookup can be used to find the domain name);
starting transmission of commands for resetting the connection to the connection endpoint (at least paragraph 152, 169-173, 191, 206; firewall action…generate a reset packet in response to matching the address; traffic monitor can send TCP resets to known bad IP addresses).
Bloch fails to explicitly disclose in a computing system…[the connection request] initiated by an application executing on the computing system. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Brinskelle. Brinskelle discloses, in an analogous art, a security agent 105 acting as a proxy can be deployed in line with a connection between a client 100 and intended server, and also 100 and 105 being local to each other and operating on the same computer system and further the security agent spoofing TCP resets when detecting malicious activity (at least Brinskelle paragraph 146, 149-152, 163-164, 633-641). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Brinskelle’s security agent being client side with Bloch as Brinskelle teaches a security agent client side can improve security for the user or client application such as a web browser and help resolve active network man in the middle attacks (at least paragraph 158-161), as well as placement on where the security agent being a well known design choice, so long as the agent is located between the application on the client and the server, the application is secure and Bloch teaches in par. 61 that the proxy appliance can be deployed in any number of modes.
Bloch fails to explicitly disclose in response to receiving a response from the DNS security service indicating the IP address is not malicious, ending the transmission of the commands. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Nussbaum. Nussbaum discloses, in an analogous art, DNS request validation wherein if the system detects any potential attack, immediately issuing TCP RSTs to shut down a connection (at least Nussbaum paragraph 183-190). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Nussbaum’s reset packets with Bloch as Nussbaum teaches detecting traffic from malicious devices such that any potential threat has a connection immediately reset, thus allowing a device to be protected in the time it takes for a DNS and reverse DNS request to be checked in instances where a DNS result is not known immediately. This would be an obvious combination to allow resets to immediately be communicated to hold off on the connection and wait for a result in Bloch’s system, the trade-off being a slight connection delay but a secure result.
As per Claim 27. The method of claim 26, comprising:
starting the transmission of commands in response to identifying the reverse DNS request (at least Nussbaum paragraph 183-190).
As per Claim 28. The method of claim 26, wherein the IP address is programmed into an application executing on the computing system (at least paragraph 151; known bad IP address of traffic monitor application; at least Brinskelle paragraph 146, 149-152, 163-164, 633-641 web browser of client 100).
As per Claim 33. The apparatus of claim 31, wherein the computing system begins transmitting the commands upon identifying the reverse DNS request and continues transmitting the commands when the response indicates the IP address is malicious (at least Nussbaum paragraph 183-190; Bloch paragraph 152, 169-173, 191, 206; firewall action…generate a reset packet in response to matching the address; traffic monitor can send TCP resets to known bad IP addresses).
As per Claim 34. The apparatus of claim 31, wherein the computing system begins transmitting the commands upon identifying the reverse DNS request and stops transmitting the commands when the response indicates the IP address is malicious (at least Nussbaum paragraph 183-190; Bloch paragraph 152, 169-173, 191, 206; firewall action…generate a reset packet in response to matching the address; traffic monitor can send TCP resets to known bad IP addresses).
Response to Arguments
Applicant’s arguments with respect to claim(s) 21-40 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant has not responded to the 103 Rejection in view of Nussbaum.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763. The examiner can normally be reached on 8:30-5 MST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GREGORY TODD/Primary Examiner, Art Unit 2443