Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/26/2025 and 10/21/2024 has been considered by the examiner.
Drawings
The drawing submitted on 09/17/2024 has been accepted and reviewed.
Specification
The specification submitted on 09/17/2024 has been accepted and reviewed.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-15 of U.S. Patent No. 9860259. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 19 of the current application are generic to corresponding limitations of claims 1, 6 and 11 respectively of the conflicting patent (U.S. Patent No. 9860259).
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10630697. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 19 of the current application are generic to corresponding limitations of claims 1, 13 and 13 respectively of the conflicting patent (U.S. Patent No. 10630697).
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11005858. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 19 of the current application are generic to corresponding limitations of claims 1, 8 and 15 respectively of the conflicting patent (U.S. Patent No. 11005858).
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12095779. Although the claims at issue are not identical, they are not patentably distinct from each other because limitation features of claims 1, 10 and 19 of the current application are generic to corresponding limitations of claims 1, 8 and 15 respectively of the conflicting patent (U.S. Patent No. 12095779).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky et al. (US 20150350231 A1 –Hereinafter--"Dubrovsky”) in view of LIN et al. (US 20080141358 A1 – Hereinafter—“LIN”)
As per claim 1. Dubrovsky discloses a method for scanning computer data, the method comprising:
scanning a first out-of-order block of a dataset at an application layer ([0023] Referring to FIG. 1A, processing logic receives a packet (processing block 110). Then processing logic checks the sequence number in the packet (processing block 115) and determines whether the packet is out of order (processing block 120). If the packet is out of order, processing logic buffers the packet (processing block 125) and allows the packet to pass. In some embodiments, processing logic makes a copy of the out-of-order packet and temporarily stores the copy in a storage device, such as a cache. Then processing logic waits for the next packet to arrive (processing block 129));
wherein the first out-of-order block is scanned for one or more sets of malware ([0022] FIGS. 1A and 1B A process to perform multiple packet payload analysis in an intrusion detection/prevention system (IPS). “data packet” and “packet” are used interchangeably. Examples of a packet include a TCP packet. [0024-0025] Referring to FIG. 1B, if the packet is not out of order, processing logic performs pattern matching on the packet from the last stored state of the pattern matching (processing block 130). The processing logic performs pattern matching using one Deterministic Finite Automaton (DFA) for each predetermined pattern, and perform multiple pattern matching in order to scan for a signature. To perform multiple pattern matching, processing logic may use a logical pointer to point at the pattern that is currently being matched. Determines whether the in order packets received so far match a predetermined attack pattern (i.e., a pattern or a signature) (processing block 135). If there is a match, processing logic blocks the packet (processing block 137) and issues an alarm (processing block 139). If there is no match, processing logic checks whether there is any buffered packets in the IPS (processing block 140). If there is no buffered packets in the IPS, then processing logic updates and stores the current state of the pattern matching performed so far (processing block 152));
generating an output state based on the scan of the first out-of-order block ([0026] If there is at least one buffered packet in the IPS, then processing logic checks whether the buffered packet is next in order (processing block 142). Processing logic may check the sequence number in the buffered packet to determine whether the buffered packet is next in order. If the buffered packet is not next in order, then processing logic checks whether there is another buffered packet in the IPS (processing block 150). If there is no more buffered packet in the IPS, then processing logic transitions to processing block 152. Otherwise, processing logic returns to processing block 142 to check whether the other buffered packet is next in order. [0028] If there is no match, then processing logic clears this buffered packet from the buffer (processing block 148). Then processing logic transitions to processing block 150 to check whether there is any more buffered packet. If there is at least one more buffered packet, then processing logic repeats processing blocks 142. Otherwise, processing logic updates and stores the current state of the pattern matching (processing block 152) and then allows the current packet to pass (processing block 127). Processing logic waits for the next packet (processing block 129) before repeating the above process for the next packet);
performing one or more subsequent scans of other blocks of the dataset including a second out-of-order block that precedes the first out-of-order block ([0026] If there is at least one buffered packet in the IPS, then processing logic checks whether the buffered packet is next in order (processing block142). Processing logic may check the sequence number in the buffered packet to determine whether the buffered packet is next in order. If the buffered packet is not next in order, then processing logic checks whether there is another buffered packet in the IPS (processing block 150). If there is no more buffered packet in the IPS, then processing logic transitions to processing block 152. Otherwise, processing logic returns to processing block 142 to check whether the other buffered packet is next in order. [0028] If there is no match, then processing logic clears this buffered packet from the buffer (processing block 148). Then processing logic transitions to processing block 150 to check whether there is any more buffered packet. If there is at least one more buffered packet, then processing logic repeats processing blocks 142);
generating output states for each of the subsequent scans ([0031] Referring to FIG. 2A, the DFA 200 includes 5 states 211-219. The states 211-219 in the DFA 200 may be referred to as nodes. Pattern matching begins at the initial state 211. If a packet received contains a “1”, processing logic remains in the initial state 211. If the packet contains a “0”, which corresponds to the first digit in the predetermined pattern, processing logic transitions to the A state 213. If processing logic receives a “0” subsequently, processing logic remains in the A state 213. If processing logic receives a “1”, which corresponds to the second digit in the predetermined pattern, then processing logic transitions into the B state 215);
storing in memory the output states for the first out-of-order block and the output states for the other blocks, wherein the output states are correlated to identified input states ([0029-0030] By holding back the last packet received until it is verified that all the in order packets received so far do not contain the predetermined pattern, processing logic may prevent harmful or hostile data patterns from passing through the IPS via multiple out-of-order packets. The packets containing the incomplete hostile data pattern that have been passed to an application layer cannot launch an attack on the system. Moreover, by copying the out-of-order packets and allowing these out-of-order packets to pass, processing logic does not intrude or interrupt the data traffic, and hence, provides protection against attacks reduces the overall latency in data traffic due to the IPS. FIG. 2A Processing logic performs pattern matching using one Deterministic Finite Automaton (DFA) for each predetermined pattern. An IPS is programmed to detect and to prevent a pattern of “0111” to pass through. The DFA 200 shown in FIG. 2A corresponds to this pattern. Processing logic may use the DFA 200 to perform pattern matching on a number of packets to determine whether the packets contain the pattern “0111”. Furthermore, to simplify the illustration, it is assumed in this example that each packet contains only one digit. However, it should be appreciated that the concept is applicable to scenarios where a packet contains more than one digits and/or alphabetic letters);
identifying that the dataset includes a set of malware when the output states for the first out-of-order block and the output states for the other blocks match a pattern associated with the identified set of malware ([0034] One advantage of using the DFA to perform pattern matching on packets is to eliminate the need to reassemble the packets because processing logic can walk through the DFA as each packet is received and examined. If processing logic reaches a final state, there is a match between the pattern contained in the packets received so far and the predetermined pattern. A pattern is typically broken up into a number of segments and each segment is transmitted using a packet. Using the DFA, processing logic may not have to reassemble the packets in order to find out what the pattern contained in the packets is in order to match the pattern against a predetermined pattern. Processing logic may perform pattern matching on a packet-by-packet basis as each of the packets is received without reassembling the packets. Therefore, processing logic does not have to store the packets for reassembling the packets. Instead, processing logic may simply store a pointer to keep track of the current state in the DFA. [0035] A signature is a collection of multiple patterns. To keep track of which pattern within a signature is being matched, processing logic may use a tree structure, where each node within the tree structure corresponds to a pattern and each pattern is represented using a DFA. [0036] Multiple patterns in a signature are matched sequentially. That is, once a first pattern is matched, processing logic goes on to try to match a second pattern. However, processing logic may continue looking for the first pattern in the incoming data packets because the first pattern may repeat before the second pattern arrives. Processing logic has to take into consideration of additional rules besides matching individual patterns of a signature. For example, a first pattern may have to be at least x bytes away from the second pattern, where x is a predetermined number. Alternatively, two patterns of the signature may have to be separated from each other by y bytes or less, where y is a predetermined number).
Dubrovsky does not explicitly disclose the application layer is in a peer-to-peer network. LIN, in analogous art however, discloses the application layer is in a peer-to-peer network ([0011-0023] Provide an identification and administration system applied to P2P gateway, which makes use of a fast pass mechanism to copy out-of-order packets in the gateway and allows the out-of-order packets to quickly pass so as to shorten non-deterministic delay due to packet loss. [0029] The present invention can effectively process out-of-order packets. The method is to copy these out-of-order packets in the gateway and allow them to pass quickly, as shown in Step S22 of FIG. 3. In this way, the receiving end can receive an intact file earlier. Receiving end will receive these out-of-order packets earlier and sends out three identical ACK segments to the transmitting end to induce retransmission. Because the retransmission is induced by three identical ACK signals instead of TCP timeout, the retransmission can be faster. [0031] The throughput and the CPU utilization are two primary factors for judging the performance of a gateway system. FIG. 5 is a bar chart showing the throughput of the system of the present invention and the P2PADM system under different configurations. FIG. 6 is a bar chart showing the CPU utilization of the system of the present invention and the P2PADM system under different configurations. FIG. 6 provides the total CPU utilization of the system). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the application layer disclosed by Dubrovsky is in a peer-to-peer network. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide an administration system of peer-to-peer (P2P) gateway and, more particularly, to an identification and administration system applied to the P2P gateway to enhance the transmission speed and performance of network as suggested by LIN ([0002]).
As per claim 2: Dubrovsky in view LIN discloses the method of claim 1, further comprising eliminating one or more of the sets of malware in accordance with the output state limiting one or more possible input states (Dubrovsky [0045] In some embodiments, data packets 260 (e.g., TCP packets) are transmitted via the IPS 230 between the network 250 and the client applications 241-244. In order to detect multiple signatures in the packets passing through the IPS 230, the IPS 230 keeps track of which signature(s) is being matched for which TCP connection and which pattern within the corresponding signature is being matched. Referring to FIG. 2C, the IPS 230 is programmed to detect a number of attack patterns 270, such as AP1, AP2, APK, etc. Each of the attack patterns 270 may include one or more predetermined patterns. An attack pattern that includes multiple patterns (e.g., AP1, APK) may also be referred to as a signature. AP1 includes n patterns represented by DFA.sub.1 to DFA.sub.N. Upon a successful match of DFA.sub.1 of AP1 for a given client application, DFA.sub.2 of AP1 is started for that client application. Upon completing DFA.sub.N for AP1, an attack pattern is identified. Unlike AP1, AP2 includes a single pattern presented by DFA.sub.n+1. APK includes multiple patterns represented by DFA.sub.k, DFA.sub.k+1, etc. Note that the multiple patterns of an attack pattern may be represented by a tree structure, where each node of the tree structure corresponds to a pattern of the signature).
As per claim 3: Dubrovsky in view LIN discloses the method of claim 1, wherein scanning the first out-of-order block is based on an input state associated with the identified set of malware (Dubrovsky [0030] FIG. 2A illustrates an example of a DFA according to one embodiment of the invention. In this example, an IPS is programmed to detect and to prevent a pattern of “0111” to pass through. The DFA 200 shown in FIG. 2A corresponds to this pattern. Processing logic may use the DFA 200 to perform pattern matching on a number of packets to determine whether the packets contain the pattern “0111”).
As per claim 4: Dubrovsky in view LIN discloses the method of claim 3, wherein the input state associated with the identified set of malware corresponds to an identified input set of an empty string (Dubrovsky [0032-0033] From the B state 215, processing logic may transition back to the A state 213 if the next packet received contains a “0”. If the next packet received contains a “1”, which corresponds to the third digit in the predetermined pattern, then processing logic transitions to the C state 217. From the C state 217, processing logic may transition back to the A state 213 if the next packet received contains a “0”. If the next packet received contains a “1”, which corresponds to the last digit in the predetermined pattern, then processing logic transitions to the final state 219. When processing logic reaches the final state 219, processing logic knows that the packets received so far contains the predetermined pattern).
As per claim 5: Dubrovsky in view LIN discloses the method of claim 3, wherein the input state indicates that one or more characters in a sequence of characters match the identified set of malware (Dubrovsky [0037] FIG. 2B illustrates an exemplary DFA 2000 representing two patterns according to one embodiment of the invention. In this example, an IPS is programmed to detect a pattern of “CAT” and a pattern of “CACHE.” Both patterns may be part of a signature. To simplify the illustration, it is assumed in this example that each packet contains only one alphabetic letter. However, it should be appreciated that the concept is applicable to scenarios where a packet contains one or more alphabetic letters and/or one or more numeric digits).
As per claim 6: Dubrovsky in view LIN discloses the method of claim 1, wherein the generated output state requires a subsequent portion to end with one or more characters of a string associated with the identified set of malware (Dubrovsky [0038] The DFA 2000 includes six states 2010-2016. Pattern matching begins at the initial state 2010. If a packet received contains a “C,” which is the first letter of both “CAT” and “CACHE,” processing logic transitions to the state 2011. If the packet received contains any other alphabet, processing logic remains in the initial state 2010. From state 2011, if processing logic receives a “C,” then processing logic remains in state 2011. If processing logic receives an “A,” then processing logic transitions to state 2012. If processing logic receives any alphabet other than “A” or “C,” processing logic returns to the initial state 2010).
As per claim 7: Dubrovsky in view LIN discloses the method of claim 1, further comprising storing a state mapping in memory that identifies a plurality of states associated with each of the sets of malware (Dubrovsky [0045] AP1 includes n patterns represented by DFA.sub.1 to DFA.sub.N. Upon a successful match of DFA.sub.1 of AP1 for a given client application, DFA.sub.2 of AP1 is started for that client application. Upon completing DFA.sub.N for AP1, an attack pattern is identified. Unlike AP1, AP2 includes a single pattern presented by DFA.sub.n+1. APK includes multiple patterns represented by DFA.sub.k, DFA.sub.k+1, etc. Note that the multiple patterns of an attack pattern may be represented by a tree structure, where each node of the tree structure corresponds to a pattern of the signature).
As per claim 8: Dubrovsky in view LIN discloses the method of claim 1, wherein the output state based on the scan of the first out-of-order block reduces a number of identified input states for the second out-of-order block (Dubrovsky [0035] The concept described above may be expanded to signature detection. A signature is a collection of multiple patterns. To keep track of which pattern within a signature is being matched, processing logic may use a tree structure, where each node within the tree structure corresponds to a pattern and each pattern is represented using a DFA. Alternatively, a single DFA may represent multiple patterns, an example of which is discussed below with reference to FIG. 2B. Processing logic may use a pointer to point at the node corresponding to the pattern that is currently being matched).
As per claim 9: Dubrovsky in view LIN discloses the method of claim 8, wherein the output state further reduces an amount of the memory used to identify the identified set of malware (Dubrovsky [0026] If there is at least one buffered packet in the IPS, then processing logic checks whether the buffered packet is next in order (processing block 142). Processing logic may check the sequence number in the buffered packet to determine whether the buffered packet is next in order. If the buffered packet is not next in order, then processing logic checks whether there is another buffered packet in the IPS (processing block 150). If there is no more buffered packet in the IPS, then processing logic transitions to processing block 152. Otherwise, processing logic returns to processing block 142 to check whether the other buffered packet is next in order).
As per claims 10-18: Claims 10-18 are directed to a non-transitory computer-readable storage medium having embodied thereon a program executable by a processor to implement a method for scanning computer data, the method having substantially similar corresponding limitations of claims 1-9 respectively and therefore claims 10-18 are rejected with the same rationale given above to reject corresponding limitations of claims 1-9 respectively.
As per claim 19: Claim 19 is directed to a system for scanning computer data, the system comprising: a communication interface that communicates over a communication network with one or more computers in a peer-to-peer network, wherein the communication interface receives a plurality of blocks of a dataset; a processor that executes instructions stored in memory, wherein the processor executes the instructions having substantially corresponding limitations of claim 1 and therefore claim 19 is rejected with the same rationale given above to reject claim 1.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sood et la. (US 20050286526 A1) provides a mechanism to receive out-of-order packets and to use a table to place the out-of-order packets in a queue so that the packets are queued in order of a sequence in which the packets were sent.
Joll et la. (US 20140157405 A1) discusses a scalable cyber-security system and architecture for identification of malware and malicious behavior in a computer network. Host flow, host port usage, host information and network data at the application, transport and network layers are aggregated from within the network and correlated to identify a network behavior such as the presence of malicious code.
JOHNSON et al. (et al. US 20070226362 A1) discussion provides regular expression matching over a plurality of packets for each data segment in a flow with no predecessor in a stored list of objects generated from traversing a deterministic finite sate automation (DFA) associated with the regular expression: traversing the DFA using the data segment and a list of all non-accepting states; and if the plurality of packets is not declared as matching, then storing, as list of equivalence classes, automaton state pairs having different starting states but an identical ending state. JOHNSON’s disclosure determines whether the flow matches the regular expression.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LINGLAN EDWARDS can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TECHANE GERGISO/ Primary Examiner, Art Unit 2408