DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Status
Claims 1-12 are under examination.
Priority
Applicant’s claim to priority to the following provisional application has been acknowledged by the examiner: 63/590,780 (10/16/2023)
Claim Objections
Claims 2 and 9 are objected to because of the following informalities: the acronyms “JA4”, “JA4H”, and “JA4L” must be defined at least once in their respective claims. Appropriate correction is required.
Claim 3 is objected to because of the following informalities: the acronym “HTTP” must be defined at least once in the claim. Appropriate correction is required.
Claim 8 is objected to because of the following informalities: missing preposition in line 9 “risk score based the”, should read “risk score based on the”; the acronym “TLS” must be defined at least once in the claim. Appropriate correction is required.
Drawings
The subject matter of this application admits of illustration by a drawing to facilitate understanding of the invention. Applicant is required to furnish a drawing under 37 CFR 1.81(c). No new matter may be introduced in the required drawing. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d).
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: “
a module configured to collect”, “a storage system for storing”, “a risk analysis engine that compares”, “a rules-based engine configured to assign”, and “a decision-making module that uses” in claim 1, as well as “a module for infusing” in claim 5.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections – 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claim 1-7 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
The limitations in claims 1 and 5 described under the “Claim Interpretation” above section invoke interpretation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. A review of the specification reveals no sufficient structure is disclosed to perform the claimed functions. Thus, the claims are indefinite under 35 U.S.C. 112(b) (see related rejection herein, infra). When functional claim language is found indefinite, it typically lacks an adequate written description under § 112(a), because an indefinite, unbounded functional limitation would cover all ways of performing a function and indicate that the inventor has not provided sufficient disclosure to show possession of the invention. Thus, a 112(b) rejection that is based on functional language having unclear claim boundaries should be accompanied by a rejection under 12(a) based on failure to provide a written description for the claim.
The dependent claims 2-7 are similarly rejected based on their dependency on claim 1.
Claim Rejections – 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1-12 are rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 1 and 5, their limitations described under the "Claim Interpretation" section above invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claims are indefinite and are rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
The dependent claims 2-7 are similarly rejected based on their dependency on claim 1.
Regarding claim 1 and 8, they recite “the at least one generated fingerprint component”. However, the claims only recite information to generate at least one fingerprint component but do not recite generating the fingerprint component, therefore there is no sufficient antecedent basis for “the at least one generated fingerprint component”. For examination purposes, “the at least one generated fingerprint component” is being interpreted as referring to the “information to generate at least one fingerprint component”.
The dependent claims 2-7 and 9-12 inherit the rejection.
Regarding claim 4, it contains the trademark/trade name “SQL” and “NoSQL”. Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph. See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982). The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product. A trademark or trade name is used to identify a source of goods, and not the goods themselves. Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name. In the present case, the trademark/trade name is used to identify/describe a “database” and, accordingly, the identification/description is indefinite. For examination purposes, “SQL database” and “NoSQL database” are being interpreted as a relational and non-relational database, respectively.
Further regarding claim 5, it recites “infusing… with metadata” in line 2. It is not clear how the data is infused and the specification does not define how to infuse data, therefore the scope of the claim is unclear.
Regarding claim 8, it recites the limitation "the TLS handshake" in line 3. There is insufficient antecedent basis for this limitation in the claim. For examination purposes, “the TLS handshake” is being interpreted as “a TLS handshake”.
Claim 8 also recites “the component fingerprint” which lacks antecedent basis. For examination purposes, the claim is interpreted as reciting “the fingerprint component”.
The dependent claims 9-12 are similarly rejected based on their dependency on claim 8.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4-10, and 12 are rejected under 35 U.S.C. 103 as unpatentable over Yang et al. (US Patent Publication 2024/0259370), hereinafter Yang, in view of Christian (US Patent Publication 2024/0121107).
Regarding claim 1, Yang teaches A system for automated session hijacking detection (Fig 1.), comprising:
a module configured to collect client data during a Transport Layer Security (TLS) handshake process (¶48: “Server-side signature and behavior analysis may allow for increased detection accuracy and user satisfaction. For example, signature and behavior data received on the server-side includes information such as cypher suites, handshake protocols (e.g., TLS handshake protocols) …”), wherein the client data includes information to generate at least one fingerprint component (¶51: “In some embodiments, a JA3 fingerprint can be created by generating a hash of certain fields in the SSL or TLS client HELLO messages. In some embodiments, a JA3S fingerprint can be created by generating a hash of certain fields in the SSL or TLS server HELLO messages. In some embodiments, a JA3 fingerprint can include the supported cipher suites by the client and/or the client's random value. In some embodiments, JA3 fingerprinting information can include or be related to a JA3 fingerprint, UA information associated with the JA3 fingerprint, and an Internet Protocol (IP) addresses of the user devices implementing the client.”);
a storage system for storing the at least one generated fingerprint component alongside associated metadata and historical context (¶68: “The signature and/or behavior identification may include analyzing messages transmitted contemporaneous with the analysis, such as messages that are received and for which an analysis is done before or in parallel with determining whether to operate on the message. The signature and/or behavior identification may additionally and/or alternatively include analyzing messages previously transmitted, such as over any suitable prior time period. Such information may be stored in database 114 and may be retrieved using an identifier for an entity, such as a signature for the entity determined by the entity identification facility.”);
a risk analysis engine that [compares the at least one generated fingerprint component against stored historical fingerprints] (¶41: “In some embodiments, server-side identification can additionally or alternatively include behavior analysis, including current behaviors and historical behaviors gathered in part from network traffic transmitted by the entity, such as traffic between the entity and other devices on the network, such as the server doing the behavior analysis, other servers, or other devices.”);
a rules-based engine configured to assign a context-based risk score based on [the comparison of the at least one generated fingerprint component] (¶103: “In some embodiments, at inference time entity identification classifier 614 can receive extracted features from feature extraction 610, perform data preprocessing on the extracted features, and generate a prediction output 616. In some embodiments, prediction output 616 can include an entity score in a scale from 0.00 to 1.00. In those embodiments, the higher the score the more likely that the entity is a malicious or non-human entity.”) and the historical context (¶101: “…framework 600 can include receiving a dataset 602 including WAF logs 604, CDN logs 606, and bot logs 608.”); and
a decision-making module that uses the context-based risk score to trigger a security action (¶75: “In Step 210, the entity identification facility performs an action based on the entity classification at Step 208.”). but Yang fails to teach compares the at least one generated fingerprint component against stored historical fingerprints and assign a context-based risk score based on the comparison of the at least one generated fingerprint component.
However, Christian teaches compares the at least one generated fingerprint component against stored historical fingerprints and assign a context-based risk score based on the comparison of the at least one generated fingerprint component (Christian ¶7: “The system and methods use a triangulation process whereby analytical results pertaining to data protocol, user-behavior and packet content are combined to establish a baseline for the data. Subsequent incoming data is then scored and compared against the baseline to detect any security anomalies.”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Yang in view of Christian to compare the fingerprint component to historical ones for the prediction score in order to enable more accurate and dynamic security actions (¶7: “The design allows establishing the context of various events of interest in the organization, thus enabling dynamic management of security policies.”).
Claim 8 is substantially similar to claim 1 and is rejected under the same rationale. In addition, Yang teaches A method for automated sessions hijacking detection (Fig. 2).
Regarding claim 2, Yang and Christian teach the system of claim 1, wherein the at least one generated fingerprint component comprises one or more of a JA4 fingerprint component (¶51: “In some embodiments, a JA3 fingerprint can include the supported cipher suites by the client and/or the client's random value.”), a JA4H fingerprint component (¶53: “In some embodiments, behavior-based features can be gathered from access logs or HTTP headers.”), and a JA4L fingerprint component (¶53: “In some embodiments, behavior-based features may include network traffic volume information (e.g., request counts, bytes in, backend bytes in, bytes out, backend bytes out, file size, etc.), timing and speed information (e.g., total connection times, total write times, inter arrival times, etc.)…”). Examiner note: the JA4, JA4H, and JA4L fingerprint component mapping is based on the stated fingerprint components from the specification.
Claim 9 is substantially similar to claim 2 and is rejected under the same rationale.
Regarding claim 4, Yang and Christian teach the system of claim 1, wherein the storage system comprises at least one of an SQL database, a NoSQL database, or a key-value store. (¶71: “In some embodiments, the network traffic data and internal logs may be obtained by computing device (e.g., server 110) from a database (e.g., database 114) or from another device (e.g., by server 110 from server 112, or vice versa). The entity identification facility may retrieve communications for a past time from a database 114 using an identifier for a client and/or an entity, such as an IP address or other identifier, or using a signature calculated as in step 204 or otherwise as described herein.”).
Regarding claim 5, Yang and Christian teach the system of claim 1, further comprising a module for infusing new fingerprint components with metadata including browser, operating system, or software library information before risk analysis (¶72: “…the entity identification facility extracts or otherwise determines signature information and/or behavior information corresponding to the entity from the network traffic data and internal logs. As noted herein, in some embodiments, signature information can include user-agent (UA) information, JA3 fingerprinting information, and information exchanged in a security handshaking or negotiation process, such as a cipher suite or security protocol information. The cipher suite or security protocol information may include a list of security techniques (e.g., ciphers) that are proposed by an entity during a security handshaking or negotiation process as available to be used for securing communications with the entity. In some embodiments, behavior information can include network traffic volume information, timing and speed information, and entropy or cardinality of hosts, referrers, and/or URLs. Embodiments may calculate a signature based on this information in various ways. For example, a data structure combining each of these pieces of information may be used as a signature in some cases. As another example, a result of a calculation performed on the information may be additionally or alternatively used in other embodiments. For example, the signature information may be input to a hash function to generate a hash result, which may be additionally or alternatively included in the signature. In some embodiments that use multiple pieces of information for a signature, a signature may include some pieces of signature information without computation (e.g., raw values) and may include hash values or other calculated values for other pieces of signature information.”).
Regarding claim 6, Yang and Christian teach the system of claim 1, wherein the security action comprises a session revocation (¶75: “In some embodiments, the action can include granting or denying the entity access to the network or terminating a connection with the entity.”).
Claim 10 is substantially similar to claim 6 and is rejected under the same rationale.
Regarding claim 7, Yang and Christian teach the system of claim 1, wherein the security action comprises an alert generation (¶72: “In some embodiments, the action can include notifying a third party of the entity classification.”).
Claim 12 is substantially similar to claim 7 and is rejected under the same rationale.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Christian in view of Althouse (US Patent Publication 2024/0396914).
Regarding claim 3, Yang teaches the system of claim 1, wherein the collected client data comprises one or more of (¶6: “In some embodiments, there is provided a method, wherein the fingerprint-based features of the entity include at least one of:): protocol information (¶6: “security protocol information proposed by the entity.”), cipher suites (¶6: “cipher suite information for the entity;”), SNI (Server Name Indication) (¶6: “user-agent (UA) information for the entity), HTTP method (¶89: “can include information such as the source IP address, destination URL, request method (e.g., GET or POST)”), [HTTP version], HTTP headers (¶53: “In some embodiments, behavior-based features can be gathered from access logs or HTTP headers.”), round-trip message duration (¶53: “In some embodiments, behavior-based features may include network traffic volume information (e.g., request counts, bytes in, backend bytes in, bytes out, backend bytes out, file size, etc.), timing and speed information (e.g., total connection times, total write times, inter arrival times, etc.)…”) but fails to explicitly teach HTTP version and packet time to live.
However, Althouse teaches HTTP version (Fig. 8a) and packet time to live (Althouse ¶122: “The timestamp that the SYN packet is seen is captured by the program as value “A”. Additionally, the IPv4 TTL or IPv6 Hop Count from the client is captured (e.g., field “ip.ttl” in Wireshark).”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Yang’s captured data to include additional pieces of information to use for determining malicious activity (Althouse ¶122: “Additionally, JA4L_b (TTL) passively facilitates the identification of source operating systems, which is an excellent data point when performing forensic analysis.”)
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Christian in view of Thompson (US Patent Publication 2024/0283639).
Regarding claim 11, Yang teaches the method of claim 8 but fails to explicitly teach wherein the at least one security action comprises blocking a client IP address.
However, Thompson teaches wherein the at least one security action comprises blocking a client IP address (Thompson ¶372: “…decoding could include converting threat indicators into firewall rule updates to block malicious IP addresses.”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Yang and Christian in view of Thompson to add another security action to better protect against detected malicious actors (Thompson ¶373: “In some arrangements, re-configuring the security tool of an entity can include modifying existing firewall rules to address new vulnerabilities revealed by the verified intelligence. For example, adding or removing rules to better protect against the identified threats.”).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEC ANKRUM whose telephone number is (571)272-9209. The examiner can normally be reached M-F 7:15am-3:15pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/A.C.A./Examiner, Art Unit 2434
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434