DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is a non-final office action in response to applicant’s communication filed on 11/27/2024.
Claims 1-18 are pending and being considered.
Priority
This application is filed as division of US patent application 18/353,115 filed on 7/17/2023 (now US Patent No. 12,218,969), which is continuation application of US patent application No. 16/798,466 filed on 2/24/2020 (now US Patent No. 11,811,820).
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/1/2025, 4/29/2025, 5/25/2025, 10/26/2025 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copy of Applicant’s IDS forms 1449 filed as stated above is/are attached to the instant Office Action.
Claim Objections
Claims 5, 11, 17 are objected to because of the following informalities:
Claim 5 lines 1-2, “wherein the protocol is selected …” may read “wherein the selected protocol is selected …”.
Similarly claim 11, claim 17.
Corrective action is suggested.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 7, 13 are rejected on the ground of nonstatutory double patenting as being anticipated by the corresponding claims of US Patent 11,811,820 (hereinafter “ ’820”).
Claim 1 and claim 14 of ‘820 discloses all of the limitations recited in claim 1 (claims 7, 13 respectively) of the instant application, as seen in the table below.
Claim Comparison
Instant Application 18/961,594
US Patent No. 11,811,820 B2
Claim 1 (similarly claim 7, 13). A method/apparatus/computer software product for protecting a computer system against malicious channels to fixed Internet Protocol (IP) addresses, the method comprising:
collecting, by a processor, information extracted from data traffic transmitted between multiple local nodes on a private data network and public IP addresses outside the private data network;
and initiating a protective action with respect to the one of the local nodes upon finding that the computed volume is outside the permissible range.
identifying in the data traffic packets transmitted from one of the local nodes to one of the public IP addresses in accordance with a selected protocol, among multiple protocols used in the data traffic;
computing a volume of the identified packets; comparing the computed volume to a permissible range that is defined for the selected protocol;
Claim 1. A method for protecting a computer system against malicious command and control (C&C) channels to fixed Internet Protocol (IP) addresses, the method comprising:
collecting, by a processor, information extracted from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network; detecting, in the collected information, Domain Name System (DNS) resolutions requested by local nodes, each DNS resolution identifying a local node requesting a resolution with respect to a uniform resource identifier (URI) and a public IP address corresponding to the URI received by the local node in response to the requesting the resolution; creating a dataset comprising first public IP addresses that were resolved by the DNS resolutions and received by the local nodes in the DNS resolutions detected in the information extracted from the data traffic;
detecting, in the collected information, transmissions from the local nodes that are addressed to second public IP addresses at respective times;
comparing the second public IP addresses to the dataset comprising the first public IP addresses to identify any of the detected transmissions that are addressed to any of the second public IP addresses as the fixed IP addresses that are not included in the dataset comprising the first public IP addresses that were resolved previously by the DNS resolutions as suspicious transmissions;
and initiating a protective action with respect to at least some of the identified suspicious transmissions.
Claim 14. The method according to claim 1, and further comprising determining a protocol of a given detected transmission to a given public IP address, identifying the determined protocol in a specified list of protocols, computing a count of the detected transmissions to the given public IP address, comparing the computed count to a specified range for the determined protocol, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed count is within the specified range.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7-11, 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa et al (US20110302656A1, hereinafter, “El-Moussa”), in view of Bar et al (US20050021740A1, hereinafter, “Bar”).
Regarding claim 1, El-Moussa teaches:
A method for protecting a computer system against malicious channels to fixed Internet Protocol (IP) addresses (El-Moussa, discloses a malicious behaviour detector for detecting malicious behaviour on a network, see [Abstract]), the method comprising:
collecting, by a processor, information extracted from data traffic transmitted between multiple local nodes on a private data network and public IP addresses outside the private data network ([0028] In overview, the MBD generally operates in a listening mode … such that all traffic travelling over the LAN 20 is received by the MBD100. And referring to Fig.3 steps S10-S20, and [0047] The method commences and thereafter at steps S10 and S20 the MBD 100 monitors all traffic passing on the LAN 20 and awaits receipt of an Ethernet frame by looping through steps S10 and S20 until such a frame of data is received (i.e. extract) whereupon the method proceeds to step S30. Fig. 2 processor unit. And Fig. 1 LAN 20 (i.e. private data network), Host A, B, etc. (local nodes), and Fig. 1 internet 40 (i.e. outside the private data network), and [0035] For example, it could try to instigate the blocking of all traffic coming from an IP address suspected of sending malicious packets of data (e.g. by sending a message to the gateway/router device 30 connecting the LAN 20 to the Internet 40 to not forward on any traffic coming from a specified external IP address (e.g. from the IP address associated with device 50));
While El-Moussa teaches the main concept of invention, i.e. detection of malicious behavior of local devices to public device (attacker) to monitor the requests made by hosts connected to the external address associated with blacklisted name, but does not expressly teach following, in the same field of endeavor Bar teaches:
identifying in the data traffic packets transmitted from one of the local nodes to one of the public IP addresses in accordance with a selected protocol, among multiple protocols used in the data traffic; computing a volume of the identified packets; comparing the computed volume to a permissible range that is defined for the selected protocol (Bar, discloses system and method for detecting and protecting against malicious traffic based on deviations from baseline characteristics of traffic directed to destination addresses, see [Abstract]. And [0008] The guard device learns characteristics of the normal pattern of traffic that is directed to each of IP addresses in the monitored set, such as the maximum rate of incoming packets, …, the protocols and ports that are used, and other parameters. The guard device then detects deviations from this normal pattern, typically by counting the number of anomalous packets that are directed to each of the monitored addresses during a given period of time. And [0019] For example, detecting the events may include detecting failures to establish a Transmission Control Protocol (TCP) connection. And [0072] Guard device 28 examines the packet parameters to determine whether they constitute a suspicious event, at an event counting step 64. One type of suspicious event is receipt of a packet addressed to one of the monitored destination addresses wherein the packet type is out of line with the statistical baseline established for that destination address. For example, if a given monitored address belongs to one of clients 34, one would not expect that address to receive TCP SYN packets (port 80). Detection of such a packet by guard device 28 may indicate that an infected computer is scanning random IP addresses in an attempt to find servers to which it can spread the infection. Thus, guard device 28 counts packets of types that deviate, in terms of port, protocol, or other parameters, from the established baseline profile for any given destination address in the monitored group as suspicious events);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Bar in the malicious behavior detection of El-Moussa by detecting suspicious packets from deviations from baseline characteristics of communication traffic . This would have been obvious because the person having ordinary skill in the art would have been motivated to base on the detection of deviation to filter the traffic that is of malicious origin for protection against malicious traffic in computer networks (Bar, [Abstract]).
The combination of El-Moussa and Bar further teaches: and initiating a protective action with respect to the one of the local nodes upon finding that the computed volume is outside the permissible range (El-Moussa, Fig. 3B step S100, and [0051] the amassed evidence (for the or each device, etc. for which the threshold is exceeded) is sent to the administrator in a warning message so that the administrator can decide what action to take about the suspected malicious behaviour (i.e. protective action). And Bar, e.g., [0008] The guard device then detects deviations from this normal pattern, typically by counting the number of anomalous packets that are directed to each of the monitored addresses during a given period of time (for example, one minute). When the count exceeds a predetermined threshold criterion, the guard device determines that a worm attack may have begun, and initiates protective action).
Regarding claim 7, claim 7 is an apparatus claim that encompasses limitations that are similar to the method claim 1. Therefore, claim 7 is rejected with the same rational and motivation as applied against claim 1. In addition, El-Moussa teaches an apparatus for protecting a computer system against malicious command and control (C&C) channels to fixed Internet Protocol (IP) addresses, the apparatus comprising: a network interface controller (NIC); and at least one hardware processor (El-Moussa, discloses a malicious behaviour detector for detecting malicious behaviour on a network, see [Abstract]. Fig. 1 Malicious behaviour detector 100, Fig. 2 Interface 110, Processor unit 120, Fig. 1 LAN 20 (i.e. private data network), Internet 40 (i.e. outside the private data network)).
Regarding claim 13, claim 13 is computer software product claim that encompasses limitations that are similar to those of the method claim 1. Therefore, claim 13 is rejected with the same rationale and motivation as applied against claim 1. In addition, El-Moussa teaches a computer software product for protecting a computing system against malicious command and control (C&C) channels to fixed Internet Protocol (IP) addresses, the product comprising a non-transitory computer-readable medium storing program instructions (El-Moussa, discloses a malicious behaviour detector for detecting malicious behaviour on a network, see [Abstract]. And [0027] The processor unit 120 co-operates with the memory 130 to perform processing functions based on computer program instructions (i.e. computer software product) stored in the memory. And Claim 5, a computer readable carrier medium).
Regarding claim 2, similarly claim 8, claim 14, El-Moussa/Bar combination teaches the method according to claim 1, the apparatus according to claim 7, the product according to claim 13,
Bar further teaches: wherein computing the volume comprises measuring the volume of the packets transmitted from the one of the local nodes to the one of the public IP addresses in accordance with the selected protocol over a predefined time period (Bar, e.g., [0008] The guard device learns characteristics of the normal pattern of traffic that is directed to each of IP addresses in the monitored set, such as the maximum rate of incoming packets, …, the protocols and ports that are used, and other parameters. The guard device then detects deviations from this normal pattern, typically by counting the number of anomalous packets that are directed to each of the monitored addresses during a given period of time). Same motivation as presented in claim 1, 7, 13 respectively would apply.
Regarding claim 3, similarly claim 9, claim 15, El-Moussa/Bar combination teaches the method according to claim 1, the apparatus according to claim 7, the product according to claim 13,
Bar further teaches: wherein computing the volume comprises measuring the volume of the packets transmitted from the one of the local nodes to the one of the public IP addresses over the course of a communication session conducted in accordance with the selected protocol ([0072] One type of suspicious event is receipt of a packet addressed to one of the monitored destination addresses wherein the packet type is out of line with the statistical baseline established for that destination address. For example, if a given monitored address belongs to one of clients 34, one would not expect that address to receive TCP SYN packets (port 80). Detection of such a packet by guard device 28 may indicate that an infected computer is scanning random IP addresses in an attempt to find servers to which it can spread the infection. Thus, guard device 28 counts packets of types that deviate, in terms of port, protocol, or other parameters, from the established baseline profile for any given destination address in the monitored group as suspicious events). Same motivation as presented in claim 1, 7, 13 respectively would apply.
Regarding claim 4, similarly claim 10, claim 16, El-Moussa/Bar combination teaches the method according to claim 1, the apparatus according to claim 7, the product according to claim 13,
Bar further teaches: wherein the permissible range is defined by a threshold, and wherein the protected action is initiated upon finding that the computed volume is greater than the threshold (e.g., [0008] The guard device then detects deviations from this normal pattern, typically by counting the number of anomalous packets that are directed to each of the monitored addresses during a given period of time (for example, one minute). When the count exceeds a predetermined threshold criterion, the guard device determines that a worm attack may have begun, and initiates protective action). Same motivation as presented in claim 1, 7, 13 respectively would apply.
Regarding claim 5, similarly claim 11, claim 17, El-Moussa/Bar combination teaches the method according to claim 1, the apparatus according to claim 7, the product according to claim 13,
Bar further teaches: wherein the protocol is selected from a group of the multiple protocols consisting of HyperText Transfer Protocol (HTTP), HTTP Secure (HTTPS), Network Time Protocol (NTP), Simple Network Management Protocol (SNMP), and Secure Sockets Layer (SSL) protocol ([0023] detecting the deviation includes detecting a type of the communication traffic that appears to be of the malicious origin, and filtering the communication traffic includes intercepting the communication traffic of the detected type. Typically, detecting the type includes determining at least one of a communication protocol and a port that is characteristic of the communication traffic. And [0036] In a disclosed embodiment, monitoring the communication traffic includes detecting Internet Control Message Protocol (ICMP) unreachable packets. Additionally or alternatively, monitoring the communication traffic includes detecting failures to establish a Transmission Control Protocol (TCP) connection). Same motivation as presented in claim 1, 7, 13 respectively would apply.
Claims 6, 12, 18 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Bar as applied above to claim 1, 7, 13 respectively, further in view of Dandliker et al (US20080082662A1, hereinafter, “Dandliker”).
Regarding claim 6, similarly claim 12, claim 18, El-Moussa/Bar combination teaches the method according to claim 1, the apparatus according to claim 7, the product according to claim 13,
The combination of El-Moussa/Bar does not explicitly teach the following limitation(s), in the same field of endeavor Dandliker teaches:
wherein identifying the packets comprises detecting that the packets were transmitted to a given public IP address without the at least one of the local nodes having previously received a Domain Name System (DNS) resolution with respect to the given public IP address (Dandliker, discloses controlling access to network resources based on reputation, see [Abstract]. And [0139] The traffic monitor 628 allows the DNS request to complete by forwarding the DNS request to a DNS server. When a DNS response is received, traffic monitor 628 locally caches the resolved IP address contained in the response. Thereafter, when viruses or malware on client 612 attempt to send packets to the resolved IP address, traffic monitor 628 intercepts the packets and can compare the cached IP address to database 624 to determine if the address has a good reputation. If not, access can be blocked).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dandliker in the malicious behavior detection of El-Moussa/Bar by comparing IP address of intercepted packets to database to determine reputation of the IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine whether to allow or block access of client device to network resources based on the reputation of IP address from DNS response (Dandliker, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Weber et al (US20060173992A1) discloses detecting network intrusions and other conditions in a network.
Chiu et al (US20200145435A1) discloses device and method for suspicious packet detection on HTTP packet transmitted from an internal network to an external network.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.
The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL M LEE/Primary Examiner, Art Unit 2436