DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is a first office action in response to the instant application for letters patent filed on 19 August 2024. Claims 1-20 are presented for examination.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/19/2024 was filed before the mailing date of the first office action on the merits. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12069085, hereinafter patent “085”. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application encompass the same metes, bounds, and limitations than the claims of patent “085”. Both claims are similar with a slight word that is missing in the instant application which is “acquiring”. In addition, “a plurality of subsets” have been modified to read “the at least one subset”. Further analysis shows that “acquiring” and “extracting” are very close in meaning. Also, “a plurality of subsets” and “at least one subset” are similar. Therefore, it would be obvious to a skill artisan before the effective filing date of the invention as claimed to use different wording with the same meaning in the claims of different applications while also eliminating, if any, the limitations or addition of slight words that do not change the concept and results of the claims in both, the application and patent. since it has been held that omission of an element and its function and a combination where the remaining elements perform the same functions as before involves only routine skill in the art. See in re Karlson, 136 USPQ 184 (CCPA 1964). See also, Ex Parte Rainu, 168 USPQ 375 (Bd.App. 1969).
US Patent 12069085:
1. A method comprising: acquiring, by a processing system including at least one processor, a plurality of hypertext transfer protocol session packets associated with a plurality of known trojans, wherein all trojans in the plurality of known trojans are identified by a common signature identifier; extracting, by the processing system, a plurality of request packets from the plurality of hypertext transfer protocol session packets; identifying, by the processing system, a plurality of suspicious request packets within the plurality of request packets that is extracted from the hypertext transfer protocol session packets; grouping, by the processing system, the plurality of suspicious request packets into a plurality of subsets; computing, by the processing system, a centroid of one subset of the plurality of subsets; identifying, by the processing system, a representative packet for the one subset, wherein the representative packet is identified based on the centroid; and generating, by the processing system, a signature for the one subset, based on the representative packet, wherein the signature is deployable by an intrusion detection system to detect an instance of a trojan of the plurality of known trojans.
2. The method of claim 1, wherein the common signature identifier identifies a cluster of hashes, where each hash in the cluster of hashes represents a specific variant of a trojan that is uniquely identified by the common signature identifier.
3. The method of claim 1, wherein each request message in the plurality of request messages comprises a request message sent from a sending endpoint device to a receiving endpoint device, in which the sending endpoint device requests that the receiving endpoint device take a specified action.
4. The method of claim 1, wherein the extracting comprises scanning headers of the hypertext transfer protocol session packets for a request to be implemented.
5. The method of claim 4, wherein the request to be implemented comprises at least one of: get, put, post, user-agent, accept, accept-language, referrer, or if-none.
6. The method of claim 1, wherein the extracting comprises scanning payloads of the hypertext transfer protocol session packets for data associated with a request.
7. The method of claim 6, wherein the data includes contents of a hypertext markup language form associated with a post request.
8. The method of claim 1, wherein the plurality of suspicious request packets comprises request packets of the plurality of request packets which specify internet protocol addresses that do not appear on a whitelist acquired by the processing system.
9. The method of claim 1, wherein the plurality of suspicious request packets comprises request packets of the plurality of request packets which specify domains that do not appear on a whitelist acquired by the processing system.
10. The method of claim 1, wherein the plurality of suspicious request packets is grouped into the plurality of subsets based on a similarity, such that all suspicious request packets belonging to a common subset of the plurality of subsets share a common attribute.
11. The method of claim 10, wherein the common attribute comprises at least one of: a hypertext transfer protocol attribute, a transfer control protocol attribute, or an internet protocol attribute.
12. The method of claim 11, wherein the hypertext transfer protocol attribute comprises at least one of: uri, method, host, accept, accept-encoding, user-agent, version, content length, content-type, content-encoding, connection, or referrer.
13. The method of claim 11, wherein the transfer control protocol attribute or the internet protocol attribute comprises at least one of: src_addr, dst_addr, len, ttl, protocol, src_prt, destination port, or dst_prt.
14. The method of claim 1, wherein the grouping is performed using spectral clustering or affinity propagation.
15. The method of claim 1, wherein the representative packet comprises a suspicious request packet within the one subset that is closest to the centroid.
16. The method of claim 1, further comprising: generalizing, by the processing system subsequent to the identifying the representative packet but prior to the generating the signature, information extracted from the representative packet to produce a generalized rule set.
17. The method of claim 16, wherein the signature is generated based on the generalized rule set.
18. The method of claim 1, wherein the signature is capable of being operated at a minimum rate of ten gigabytes per second.
19. A non-transitory computer-readable medium storing instructions which, when executed by a processing system including at least one processor, cause the processing system to perform operations, the operations comprising: acquiring a plurality of hypertext transfer protocol session packets associated with a plurality of known trojans, wherein all trojans in the plurality of known trojans are identified by a common signature identifier; extracting a plurality of request packets from the plurality of hypertext transfer protocol session packets; identifying a plurality of suspicious request packets within the plurality of request packets that is extracted from the hypertext transfer protocol session packets; grouping the plurality of suspicious request packets into a plurality of subsets; computing a centroid of one subset of the plurality of subsets; identifying a representative packet for the one subset, wherein the representative packet is identified based on the centroid; and generating a signature for the one subset, based on the representative packet, wherein the signature is deployable by an intrusion detection system to detect an instance of a trojan of the plurality of known trojans.
20. A system comprising: a processing system including at least one processor; and a non-transitory computer-readable medium storing instructions which, when executed by the processing system, cause the processing system to perform operations, the operations comprising: acquiring a plurality of hypertext transfer protocol session packets associated with a plurality of known trojans, wherein all trojans in the plurality of known trojans are identified by a common signature identifier; extracting a plurality of request packets from the plurality of hypertext transfer protocol session packets; identifying a plurality of suspicious request packets within the plurality of request packets that is extracted from the hypertext transfer protocol session packets; grouping the plurality of suspicious request packets into a plurality of subsets; computing a centroid of one subset of the plurality of subsets; identifying a representative packet for the one subset, wherein the representative packet is identified based on the centroid; and generating a signature for the one subset, based on the representative packet, wherein the signature is deployable by an intrusion detection system to detect an instance of a trojan of the plurality of known trojans.
The claims will be allowed upon the submission of a terminal disclaimer by Applicant.
The prior art of record does not teach or suggest the combination of
extracting, by a processing system including at least one processor, a plurality of request packets from a plurality of hypertext transfer protocol session packets associated with a plurality of known trojans, wherein all trojans in the plurality of known trojans are identified by a common signature identifier; identifying, by the processing system, a plurality of suspicious request packets within the plurality of request packets that is extracted from the hypertext transfer protocol session packets; grouping, by the processing system, the plurality of suspicious request packets into at least one subset; computing, by the processing system, a centroid of the at least one subset; identifying, by the processing system, a representative packet for the at least one subset, wherein the representative packet is identified based on the centroid; and generating, by the processing system, a signature for the at least one subset, based on the representative packet, wherein the signature is deployable by an intrusion detection system to detect an instance of a trojan of the plurality of known trojans.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANTZ B JEAN whose telephone number is (571)272-3937. The examiner can normally be reached 8-5 M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B. Burgess can be reached at 5712723949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FRANTZ B JEAN/Primary Examiner, Art Unit 2454