Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is in response to Application #18/797,332 filed on 08/07/2024 in which Claims 1-36 are presented for examination.
Status of Claims
Claims 1-36 are pending, of which Claims 1-13, 19-31 are rejected under 35 U.S.C. 103, dependent Claims 14-18, 32-36 are objected to as being allowable as a whole over prior art if rewritten in independent form including all of the limitations of their base independent claim and any intervening dependent claims.
Applicant’s Most Recent Claim Set of 08/072024
Applicant’s most recent claim set of 08/07/2024 is considered to be the latest claim set under consideration by the examiner.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a leads pipeline identifying, comparing”, “a scanner pipeline probing, generating”, “an enrichment pipeline enriching, appending”, “a shipping pipeline transmitting, update” in claim(s) 19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).
Prior Art Rejections - 35 USC § 102 and/or 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 19-31, 1-13, are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al US Patent #9,143,522 in view of Plunk et al US Patent #10,769,000.
Regarding Claim 19, Wang et al. discloses:
A system in a network of computing devices comprising [(Wang et al. Abstract Lines 3-4; Figure 2 Items 202, 204B, 206, 208C) where Wang et al. teaches a system in a network of computing devices that monitors network traffic to identify suspicious network traffic]:
a leads pipeline identifying a plurality of leads from amongst the computing devices by comparing data received from the computing devices to soft fingerprints [(Wang et al. Abstract Lines 3-7; Figure 2 Items 202, 204B, 206, 208C) where Wang et al. teaches the identifying and processing of leads or computing device threats from amongst the computing devices on the network by comparing data received from the computing devices to soft fingerprints or features found in the network data];
a scanner pipeline probing each of the plurality of leads, and generating a threat indicator in response to the probing [(Wang et al. Abstract Lines 3-11; Figure 2 Items 202, 204B, 206, 208C) where Wang et al. teaches the identifying and processing of leads or computing device threats from amongst the computing devices on the network by comparing data received from the computing devices to soft fingerprints or features found in the network data, with these leads or computing device threats as they are identified and processed assigned scores to reflect an indication of the threat or risk characterization of the monitored network traffic];
an enrichment pipeline enriching the plurality of leads in response to probing each of the plurality of leads and appending enrichment data to the threat indicator [(Wang et al. Abstract Lines 3-14; Figure 2 Items 202, 204B, 206, 208C) where Wang et al. teaches the identifying and processing of leads or computing device threats from amongst the computing devices on the network by comparing data received from the computing devices to soft fingerprints or features found in the network data, with these leads or computing device threats as they are identified and processed assigned scores to reflect an indication of the threat or risk characterization of the monitored network traffic, and enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic]; and
a shipping pipeline transmitting the threat indicator and the enrichment data to update a search cluster [(Wang et al. Column 9 Lines 39-49; Column 10 Lines 5-10, 23-26, 34-40; Figure 2 Items 202, 204B, 206, 208C, 210) where Wang et al. teaches the communicating or transmitting of malware or computing device threats gleaned from monitored traffic into a threat indicator score along with additional malicious behavior to a security cloud service indicating a server search cluster of multiple cloud servers participating in the search for malicious behavior].
Wang et al does not appear to explicitly disclose:
using an emulator, wherein the emulator emulates an agent for the type of command and control server for each lead
However, Plunk et al discloses:
using an emulator, wherein the emulator emulates an agent for the type of command and control server for each lead [(Cole et al Column 20 Lines 55-67; Column 21 Lines 1-25) where Cole et al teaches the use of an emulator that emulates the agent or malicious domain of a specific command and command control server for a specific lead or malicious threat].
Wang et al and Plunk et al are analogous art because they are from the “same field of endeavor” and are from the same “problem-solving area”. Namely, they are both from the field of “information security”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wang et al and the teachings of Plunk et al by providing an emulator that emulates the agent or malicious domain of a specific command and command control server for a specific lead or malicious threat as taught by Plunk et al in the teaching described by Wang et al.
The motivation for doing so would be to increase the usability and flexibility of Wang et al by providing an emulator that emulates the agent or malicious domain of a specific command and command control server for a specific lead or malicious threat as taught by Plunk et al in the teaching described by Wang et al so as to provide ways to emulate malicious behavior in a secure manner for forensic purposes.
Regarding Claim 20, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 wherein the leads comprise address and port combinations for possible command and control servers for malware, wherein each of the possible command and control servers comprises a type of command and control server [(Wang et al. Column 3 Lines 19-25; Column 11 Lines 12-21; Column 13 Lines 49-55) where Wang et al teaches the use of address and port combinations for identifying and locating command and control malware servers, each of which are of a type of command and control malware server].
Regarding Claim 21, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said leads pipeline, wherein said identifying comprises identifying said plurality of leads based on a configuration of where to gather leads, and what leads to gather defined by a lead generation query. [(Wang et al. Column 7 Lines 4-16) where Wang et al teaches the gathering of leads or threats in response to a lead or threat generation query by monitoring network traffic or monitoring network threat logs].
Regarding Claim 22, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said leads pipeline, wherein said identifying comprises identifying said plurality of leads using soft fingerprints [(Wang et al. Abstract Lines 3-7; Figure 2 Items 202, 204B, 206, 208C) where Wang et al. teaches the identifying and processing of leads or computing device threats from amongst the computing devices on the network by comparing data received from the computing devices to soft fingerprints or features found in the network data].
Regarding Claim 23, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said scanner pipeline, wherein said probing each of said leads comprises probing each of said leads with an HTTP or HTTPS request [(Wang et al. Column 3 Lines 19-25; Column 11 Lines 12-21; Column 13 Lines 49-55) where Wang et al teaches the use of HTTP requests for specific HTTP addresses for identifying and locating command and control malware servers which have been identified by malicious malware threats].
Regarding Claim 24, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said enrichment pipeline, wherein said enriching comprises enriching based on analyzing an HTTP or HTTPS response. [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21; Column 13 Lines 49-55; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches the use of HTTP responses for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 25, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said enrichment pipeline, wherein said enriching comprises enriching based on analyzing a hash of an HTTP or HTTPS response [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing hashes of HTTP responses for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 26, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said enrichment pipeline, wherein said enriching comprises enriching based on analyzing whether a string is contained within an HTTP or HTTPS response [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing strings contained within HTTP responses for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 27, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising:- said enrichment pipeline, wherein said enriching comprises enriching based on analyzing whether a regular expression is matched within an HTTP or HTTPS response [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing regular expressions matched within HTTP responses for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 28, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said enrichment pipeline, wherein said enriching comprises enriching based on analyzing a TCP Banner [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Column 14 Lines 6-29; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing TCP Banners matched within HTTP responses for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 29, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said enrichment pipeline, wherein said enriching comprises enriching based on analyzing a hash of a TCP Banner [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Column 14 Lines 6-29; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing hashes of TCP Banners for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 30, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising:- said enrichment pipeline, wherein said enriching comprises enriching based on analyzing whether a string is contained within a TCP Banner [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Column 14 Lines 6-29; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing strings contained within TCP Banners for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 31, most of the limitations of this claim have been noted in the rejection of Claim 19. Applicant is directed to the rejection of Claim 19 above. In addition, the combination of Wang et al and Plunk et al discloses:
The system of Claim 19 further comprising: said enrichment pipeline, wherein said enriching comprises enriching based on analyzing whether a regular expression is matched within a TCP Banner. [(Wang et al. Abstract Lines 3-14; Column 3 Lines 19-25; Column 11 Lines 12-21, 51-67; Column 12 Lines 1-9; Column 13 Lines 49-55; Column 14 Lines 6-29; Figure 2 Items 202, 204B, 206, 208C) where Wang et al teaches analyzing regular expressions matched within TCP Banners for specific HTTP addresses for enriching or increasing the leads or computing device threats by increasing the threat indicator score based on a correlation of additional suspicious behaviors associated with the monitored network traffic].
Regarding Claim 1:
It is a method claim corresponding as a subset to the apparatus claim of claim 19. Therefore, claim 1 is rejected with the same rationale as applied against claim 19 above.
Regarding Claim 2:
It is a method claim corresponding as a subset to the apparatus claims of claims 19 and 20. Therefore, claim 2 is rejected with the same rationale as applied against claims 19 and 20 above.
Regarding Claim 3:
It is a method claim corresponding to the apparatus claim of claim 21. Therefore, claim 3 is rejected with the same rationale as applied against claim 21 above.
Regarding Claim 4:
It is a method claim corresponding to the apparatus claim of claim 22. Therefore, claim 4 is rejected with the same rationale as applied against claim 22 above.
Regarding Claim 5:
It is a method claim corresponding to the apparatus claim of claim 23. Therefore, claim 5 is rejected with the same rationale as applied against claim 23 above.
Regarding Claim 6:
It is a method claim corresponding to the apparatus claim of claim 24. Therefore, claim 6 is rejected with the same rationale as applied against claim 24 above.
Regarding Claim 7:
It is a method claim corresponding to the apparatus claim of claim 25. Therefore, claim 7 is rejected with the same rationale as applied against claim 25 above.
Regarding Claim 8:
It is a method claim corresponding to the apparatus claim of claim 26. Therefore, claim 8 is rejected with the same rationale as applied against claim 26 above.
Regarding Claim 9:
It is a method claim corresponding to the apparatus claim of claim 27. Therefore, claim 9 is rejected with the same rationale as applied against claim 27 above.
Regarding Claim 10:
It is a method claim corresponding to the apparatus claim of claim 28. Therefore, claim 10 is rejected with the same rationale as applied against claim 28 above.
Regarding Claim 11:
It is a method claim corresponding to the apparatus claim of claim 29. Therefore, claim 11 is rejected with the same rationale as applied against claim 29 above.
Regarding Claim 12:
It is a method claim corresponding to the apparatus claim of claim 30. Therefore, claim 12 is rejected with the same rationale as applied against claim 30 above.
Regarding Claim 13:
It is a method claim corresponding to the apparatus claim of claim 31. Therefore, claim 13 is rejected with the same rationale as applied against claim 31 above.
Allowable Subject Matter – Dependent Claim(s)
Claims 14-18, 32-36 are objected to as being dependent upon a rejected base claim, but would be allowable as a whole over prior art if rewritten in independent form including all of the limitations of their base independent claim, and any intervening dependent claims.
The following is a statement of reasons for the indication of allowable subject matter.
The closest prior art, as recited, Wang et al US Patent #9,143,522 and Plunk et al US Patent #10,769,000, are also generally directed to various aspects of providing identification of malware command and control servers or botnets that create malware threats in a network of computing devices. However, Wang et al or Plunk et al does not teach or suggest, either singularly or in combination, the particular combination of steps or elements as recited in the dependent Claims 14-18, 32-36 when also incorporating all of the limitations of their base independent claim and any intervening dependent claims. For example, none of the cited prior art teaches or suggests the steps of:
a network of computing devices, where multiple computing devices employ the search cluster having been updated to block access from a subset of a plurality of leads based on a threat indicator and enrichment data associated with the subset of the plurality of leads, the network of computing devices, where multiple computing devices employ a search cluster having been updated further including pulling intelligence indicators from the search cluster for the subset of the plurality of leads based on the threat indicator and the enrichment data associated with the subset of the plurality of leads, and writing the intelligence indicators to files stored on a storage appliance, where these files are used to block access from the subset of the plurality of leads, a scanner pipeline, where probing includes probing each of the plurality of leads from at least two distinct regions representing at least two countries, where the probing includes probing each of the plurality of leads using at least two types of user agents, where the probing includes probing each of the plurality of leads to retrieve a respective configuration file, and an enrichment pipeline, where the enriching includes enriching each of the plurality of leads by tracking changes to the configuration file over time.
As recited in dependent Claims 14-18, 32-36 when also incorporating all of the limitations of their base independent claim, any intervening dependent claims, any additional limitations found in dependent Claims 14-18, 32-36.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Jeong et al - US_20110154492: Jeong et al teaches a malicious traffic isolation system using botnet information.
Compton et al - US_20200067970: Compton et al teaches blocking the communication of malicious botnets from customer computing devices to malicious command and control servers.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRADLEY HOLDER whose telephone number is 571-270-3789. The examiner can normally be reached on Monday-Friday 10:00AM-7:00PM Eastern Time.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards, can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRADLEY W HOLDER/
Primary Examiner, Art Unit 2408