Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 2-20 are pending. Claim 1 has been canceled.
Information Disclosure Statement PTO-1449
The Information Disclosure Statement submitted by applicant on 06-09-2025 and 10-21-2024 have been considered. Please see attached PTO-1449.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 2-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of “…receiving information regarding at least one type of malware threat targeting a computer network…performing a first set of malware tests associated with a first protection layer of the plurality of malware protection layers and a second set of malware tests associated with a second protection layer…generating a visualization that illustrates a movement of the at least one type of malware threat at the first protection layer and at the second protection layer based on results of the first set of malware tests and of the second set of malware tests… presenting the visualization within a user interface that includes one or more options for enabling or disabling one or more of the different malware protection layers…”.
These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply receiving information on a piece of paper regarding a malware threat and performing a first and second set of malware test by comparing the received information to a first list, such as white list and a second list, such as black list, generating visualization by drawing on a piece of paper the movement of the malware, and presenting the drawing with options for enabling or disabling malware protection layers. Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation appears to be generic computer functions which does not constitute meaningful limitation that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitation on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere receiving information… performing a first set of malware tests… and a second set of malware tests…generating a visualization… presenting the visualization…”is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 11 and 20 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Claims 3 and 12 further narrow the visualization of the claim 2 to dynamically illustrate the at least one type of malware threat moving relative to the first protection layer. Dynamically displaying data or spread of malware is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea.
Claims 4 and 13 recite at least one type of malware threat is illustrated in the dynamic illustration as moving toward, through, or stopping at one or more of the different malware protection layers. Dynamic illustration or displaying spread, stop or any other behavior of malware data is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea
Claims 5 and 14 are directed to generating one or more deep packet inspection (DPI) signature for new malware type. Generation of new malware signature is a step that could be performed in human mined or by human simply using a pen and paper. Therefore, the additional element of generating new malware signature does not amount to significantly more than the judicial exception.
Claims 6 and 15 recite the DPI signature is provided to an external computer for storage which is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea.
Claims 7 and 16 narrow the first set of malware test to include one or more of content filtering using universal resource locators (URL), botnet filtering, firewall/gateway virus inspection scanning, or intrusion prevention. However, these additional elements could be performed in human mind or by human simply using a pen and paper. Therefore, the additional elements for testing do not improve the functioning of the computer, nor add an inventive concept.
Claims 8 and 17 recite the visualization includes one or more arrowed lines that represent the at least one type of a malware threat, which is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea.
Claims 9 and 18 recite the visualization includes one or more different colors for the different protection layers and the at least one type of malware threat, which is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea.
Claim 10 and 19 recite the visualization is generated in real-time or in near- real-time with receipt of test data from the first set of malware tests. However, generating visualization in real-time or near real-time could be performed by human. For example, a human simply using a pen and paper could draw a visualization at the time or near the time of receipt of test data. Therefore, the additional element does not improve the functioning of the computer, nor add an inventive concept.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2-4, 7, 8, 10-13, 16, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia (US Patent No. 10,805,340 ), hereinafter Goradia, in view of Moore et al. (US Patent No. 10,333,898), hereinafter Moore, further in view of Sun (US Publication No. 2017/0171170), hereinafter Sun.
As per claim 2, 11 and 20, Goradia discloses a method for visualizing the spread of malware, the method comprising: receiving information targeting a computer network that is protected by a plurality of different malware protection layers corresponding to different types of malware threats (column 5, lines 22-32, “the network interface 136…configured to receive data propagating to/from one or more endpoint devices 130…and provide at least some of this data to the first TDS 1101 or a duplicated copy of the data. This data includes metadata”);
performing a first set of malware tests associated with a first protection layer of the plurality of malware protection layers (column 6, lines 47-55, “the static analysis logic 143 includes one or more software modules that, when executed by one or more controllers 141, analyzes characteristics for one or more objects within an incoming flow”, column 7, lines 25-32, “Upon detecting a match during the signature matching analysis (e.g., an object under analysis has characteristics that suggest the object is an exploit), the static analysis engine 140 determines that the object is ‘suspicious,’ namely has characteristics that suggest the object is am exploit”) and a second set of malware tests associated with a second protection layer of the plurality of malware protection layers in response to the at least one type of malware threat (column 8, lines 23-28, “After analysis of objects within the flow, the static analysis engine 140 may route one or more ‘suspect’ objects…to the dynamic analysis engine 160, which is configured to provide more in-depth analysis by analyzing the behavior of the suspect object 148 in a VM-based operating environment”);
generating a visualization that illustrates a movement of the at least one type of malware threat at the first protection layer and at the second protection layer based on results of the first set of malware tests and of the second set of malware tests (column 13, lines 25, “ The visual representation may be comprised of, among other things, a static picture of a map providing a visual illustration of the one or more hops from its point of origin to the point at which it was detected. Metadata associated with hops outside an enterprise network…may be retrieved from servers external to the enterprise network while metadata associated with the hops within the enterprise network may be accessible from a selected TDS”); and presenting the visualization within a user interface that includes one or more options associated with the computer network (column 16, lines 23, a viewer could use the selection buttons 806-808 on display screen to view different parameters of a network device).
Goradia does not explicitly discloses, receiving information regarding at least one type of malware threat; and presenting the visualization within a user interface that includes one or more options for enabling or disabling one or more of the different malware protection layers.
However, in an analogous art, Moore discloses, receiving information regarding at least one type of malware threat (column 24, lines 23-35, “receiving, by at least one threat analysis device, the first portion of the plurality of packets, the threat metadata associated with the first portion of the plurality of packets”, column 6, lines 55-56, metadata includes for example, the threat type and name).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Goradia with Moore. This would have been obvious because one of ordinary skill in the art would have been motivated to provide efficient and performant operation of threat analysis to improve the effectiveness of network protection system.
Goradia in view of Moore does not explicitly disclose, but in an analogous art, Sun discloses, presenting the visualization within a user interface that includes one or more options for enabling or disabling one or more of the different malware protection layers (paragraph [0050], “Through management console & dashboards module 310, an admin user could activate or deactivate each of the proxy detection modules”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Goradia with Moore. This would have been obvious because one of ordinary skill in the art would have been motivated to enable administrator user to configure various protection modules to prevent attacker from harming the system.
Goradia furthermore disclose a communication interface, a processor that executes instruction stored in memory and a non-transitory computer readable storage medium, as claimed in claim 11 and 20 (figure 1, column 5, lines 59-66).
As per claim 3 and 12, Goradia furthermore discloses, wherein the visualization dynamically illustrates the at least one type of malware threat moving relative to the first protection layer (figure 7, column 15, lines 5-17, the malware may travel to TDS 711 via hop path).
As per claim 4 and 13, Goradia furthermore discloses, wherein the at least one type of malware threat is illustrated in the dynamic illustration as moving toward, through, or stopping at one or more of the different malware protection layers (figure 7, column 15, lines 1-5, “the malware may also spread [moving] laterally through peer-to-peer communication within the enterprise network”).
As per claim 7 and 16, Goradia furthermore discloses, wherein the first set of malware tests includes one or more of content filtering using universal resource locators (URL), botnet filtering, firewall/gateway virus inspection scanning, or intrusion prevention (column 16, lines 54-56, “…the detection network device is a firewall, router, switch” corresponding to firewall/gateway virus inspection scanning).
As per claim 8 and 17, Goradia furthermore discloses, wherein the visualization includes one or more arrowed lines that represent the at least one type of a malware threat (figure 7, column 14, lines 40-67, The detected malware may spread laterally throughout the enterprise network. In FIG. 7, the malware travels via hop path 2 750 to TDS (web-based traffic) 710…”).
As per claim 10 and 19, Goradia furthermore discloses, wherein the visualization is generated in real-time or in near- real-time with receipt of test data from the first set of malware tests (column 11, lines 29-31, “the virtualization logic 194 may be activated by a real-time clock”).
Claims 5, 6, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia, in view of Moore and Sun, further in view of Carney et al. (US Publication No. 2015/0058976), hereinafter Carney.
As per claim 5 and 14, Goradia as modified does not explicitly disclose, but in an analogous art, Carney discloses, wherein the at least one type of malware threat is a new malware type, and further comprising generating one or more deep packet inspection (DPI) signatures that are characteristic of the new malware type (paragraph [0062], “the malicious traffic may be inspected according to various deep packet inspection tools s to discover discernible properties for future prevention of an attack before it overloads a customer network device. Once discovered, such properties may be used to create attack signature files”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Goradia with Carney. This would have been obvious because one of ordinary skill in the art would have been motivated to protect network devices from newly generated malware.
As per claim 6 and 15, Carney furthermore discloses providing the DPI signatures to an external computer for storage (paragraph [0062], “attack signature files that can be installed at the mitigation servers 111 and/or various ingress points of the service provider network 101”). The motivation is similar to the motivation provided in claim 5
Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia, in view of Moore and Sun, further in view of Muddu et al. (US Publication No. 2017/0063912), hereinafter Muddu.
As per claim 9 and 18, Goradia as modified does not explicitly disclose, but in an analogous art, Muddu discloses, wherein the visualization includes one or more different colors for the different protection layers and the at least one type of malware threat (paragraph [0475], “Devices Location map 4009 also includes color-coded lines that connect the devices. For example, line 4093 connects the devices represented by circle 4091 to the device represented by circle 4092. The lines correspond to the one or more anomalies for which the connected devices are participants. As shown in FIG. 40H, by hovering over line 4093, the GUI generates a bubble 4095 that identifies each anomaly represented by that line and a color-code…”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Goradia with Muddu. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of enabling security analysts in the organization to quickly and easily identify detected anomalies between connected devices of an organization.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Brown et al. (US Patent No. 11,588,832) discloses, techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.
Kaloroumakis et al. (US Publication No. 2016/0149943) discloses, a system and method for network data characterization and/or classification. The method includes receiving network events, including content, converting the received content into data messages, routing the data messages to a plurality of analyzers, each of one or more analyzers that received the routed data messages analyzing the content within the data messages, in which the one or more analyzers include at least one machine-learning analyzer that classifies the content with a confidence percentage that indicates the probability that the content is malign or the confidence that a prediction that the content is malign is correct, outputting the characterization results of the one or more analyzers, and comparing the output characterization results against a plurality of criteria to determine subsequent action to take based on the characterization results.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437