DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined in this application. This communication is the first action on the merits.
Priority
Application 19/025,184 was filed on 01/16/2025 and is a CON of 16/552,434 08/27/2019 which is a CON of 14/684,507 04/13/2015 PAT 10,438,207.
Examiner Request
The Applicant is requested to indicate where in the specification there is support for amendments to claims should Applicant amend. The purpose of this is to reduce potential 35 U.S.C. § 112(a) or § 112 1st paragraph issues that can arise when claims are amended without support in the specification. The Examiner thanks the Applicant in advance.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a non-statutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application. See 37 CFR 1.131(c). A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a non-statutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional, the reply must be complete. MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to MPEP 1490(V)(A).
Claim 1 is rejected on the ground of non-statutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 12,299,690.
Claim 1 of the instant application is broader and fully encompasses the steps of patent claim 1 of US Patent No. 12,299,690.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to combine the method steps of the 11,100,500 Patent with a step to modify the computer system with a payment gateway as known substitutions of one known element for another, and the resulting provision and updating means would have been predictable.
Claims 19 and 10 are substantially similar to claim 1, thus, they are rejected on the same grounds.
Application 19/025,184
US Patent No. 12,299,690
1. A computer-implemented method for predicting advanced persistent threats (APTs) in a network, the method comprising:
1. A non-transitory computer-readable medium having instructions that, when executed, cause one or more processors to perform the steps of:
obtaining data including virtual currency transactions that are potentially associated with malicious activity;
obtaining data related to events and triggers for one or more attacks, wherein the data includes a plurality of i) virtual currency transactions that includes crypto currency, ii) network traffic flow, and iii) sentiment on any of social media, blogs, and news feeds;
de-anonymizing at least a portion of the virtual currency transactions to identify originating or receiving endpoints;
correlating the data with one or more subscribed entities;
analyzing the de-anonymized virtual currency transactions to determine a threat index for a subscribed entity, wherein the threat index indicates a likelihood of an APT;
determining a threat index for an attack on a computer system of a specific subscribed entity of the one or more subscribed entities through analysis of the correlated data, wherein the threat index provides a probability of the attack on the specific subscribed entity, and wherein the threat index is determined over time using the events and triggers;
and one or more of i) notifying the subscribed entity of the likelihood of the APT or
notifying the specific subscribed entity of a likelihood of the attack based on the threat index; and
ii) triggering one or more mitigation actions in the network, based on the threat index.
automatically causing mitigation of the attack based on the likelihood of the attack, wherein the mitigation include one or more actions which change operating parameters in the network relative to the specific subscribed entity.
Claim Rejections - 35 USC § 101
35 U.S.C. § 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. (MPEP 2106). The claims are directed to a method, system, and apparatus which is one of the statutory categories of invention (Step 1: YES). The recitation of the claimed invention is analyzed as follows, in which the abstract elements are boldfaced.
Claim 1 recites the limitations of:
A computer-implemented method for predicting advanced persistent threats (APTs) in a network, the method comprising: obtaining data including virtual currency transactions that are potentially associated with malicious activity;
de-anonymizing at least a portion of the virtual currency transactions to identify originating or receiving endpoints;
analyzing the de-anonymized virtual currency transactions to determine a threat index for a subscribed entity, wherein the threat index indicates a likelihood of an APT; and
one or more of i) notifying the subscribed entity of the likelihood of the APT or ii) triggering one or more mitigation actions in the network, based on the threat index.
Claim 19 recites the limitations of:
A network element in a network, the network element comprising circuitry configured to provide network services to a subscribed entity, obtain a threat index for the subscribed entity that is indicative of likelihood of an advanced persistent threat (APT), and
perform one or more mitigation actions related to the subscribed entity, based on the threat index,
wherein the threat index is determined based on analyzing virtual currency transactions that are potentially associated with malicious activity, and
de-anonymizing at least a portion of the virtual currency transactions to identify originating or receiving endpoints.
The claim as a whole recites a method that, under its broadest reasonable interpretation, covers collecting, analyzing, and transmitting data to facilitate tracking, predicting, and mitigating threats in financial transactions. This is a fundamental economic practice of a financial transaction; a commercial interaction, such as for business relations; and managing personal behavior or relationships or interactions between people, which are certain methods of organizing human activity.
Thus, the claims recite an abstract idea. (Step 2A, prong 1: YES).
Moreover, the judicial exception is not integrated into a practical application. Other than reciting a “A computer-implemented method for predicting advanced persistent threats (APTs) in a network, the method comprising:”, “virtual currency”, and “A network element in a network, the network element comprising circuitry configured to provide network services to a subscribed entity”, to perform the steps of “obtaining”, “de-anonymizing”, “analyzing”, “notifying”, “triggering”, and “performing”, nothing in the claim elements preclude the steps from practically being a certain method for organizing human activity. The claim as a whole does not integrate the judicial exception into a practical application. The claim merely describes how to generally “apply” the concept of collecting, analyzing, and transmitting data to facilitate tracking, predicting, and mitigating threats in financial transactions in a computer environment. The additional computer elements recited in the claim limitations are recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception utilizing generic computer components.
For example, the Specification discloses “[0023] Referring to FIG. 1, in an exemplary embodiment, a network diagram illustrates a system 10 for tracking, predicting, and mitigating APTs in a network 12 or collection of networks. The network 12 (or collection of networks) includes various network elements 14,data resources 16, and the like, which can collectively be referred to as service delivery resources. That is, the network 12 provides connectivity for users at various layers, such as Layers 0 (photonic), 1(time-division multiplexing), 2(packet), 3 (Internet Protocol), and/or 4-7 (application). The network elements 14,data resources 16, etc. can include, without limitation, switches, routers, packet/optical switches, storage devices, Wave Division Multiplexing (WDM) equipment, time division multiplexing (TDM) switches, and the like. The network 12 can include any type of wired/wireless network from the access layer to metro, regional, and long haul network layers. The network 12 can include the Internet, Wide Area Networks (WANs), Local Area Networks (LANs), Virtual LANs (VLANs), etc.”
“[0062] Referring to FIG. 8, in an exemplary embodiment, a block diagram illustrates a server 600 such as for the implementing various components of the system 10, the APT prediction and mitigation process 400, and the like. The server 600 can be a digital computer that, in terms of hardware architecture, generally includes a processor 602, input/output (I/O) interfaces 604, a network interface 606, a data store 608, and memory 610. It should be appreciated by those of ordinary skill in the art that FIG. 8 depicts the server 600 in an oversimplified manner, and a practical embodiment may include additional components and suitably configured processing logic to support known or conventional operating features that are not described in detail herein.”
Thus, the specification supports that general purpose computers or computer components are utilized to implement the steps of the abstract idea.
Merely implementing the abstract idea on a generic computer is not a practical application of the abstract idea. The claim as a whole, in viewing the additional elements both individually and in combination, does not integrate the judicial exception into a practical application. Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. (Step 2A prong two: No)
The claim does not include additional elements, when considered both individually and as an ordered combination, that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of using “A computer-implemented method for predicting advanced persistent threats (APTs) in a network, the method comprising:”, “virtual currency”, and “A network element in a network, the network element comprising circuitry configured to provide network services to a subscribed entity”, to perform the steps of “obtaining”, “de-anonymizing”, “analyzing”, “notifying”, “triggering”, and “performing”, amounts to no more than mere instructions to apply the exception using generic computer component. The claim merely describes how to generally “apply” the concept of collecting, analyzing, and transmitting data to facilitate tracking, predicting, and mitigating threats in financial transactions in a computer environment. Thus, even when viewed as a whole, nothing in the claim adds significantly more (i.e. an inventive concept) to the abstract idea. Such additional elements are determined to not contain an inventive concept according to MPEP 2106.05(f). It should be noted that (1) the “recitation of claim limitations that attempt to cover any solution to an identified problem with no restriction on how the result is accomplished and no description of the mechanism for accomplishing the result, does not provide significantly more because this type of recitation is equivalent to the words “apply it”, and (2) “Use of a computer or other machinery in its ordinary capacity for economic or other tasks (e.g., to receive, store, or transmit data) or simply adding a general purpose computer or computer components after the fact to an abstract idea (e.g., a fundamental economic practice, commercial interaction, or managing personal behavior or relationships or interactions between people, mental process, or mathematical calculation) does not integrate a judicial exception into a practical application or provide significantly more”.
Claims 10 is substantially similar to claim 1, thus, it is rejected on similar grounds.
Claim 10 recites the additional elements of “A non-transitory computer-readable medium storing instructions for predicting advanced persistent threats (APTs) in a network, the instructions, when executed, cause one or more processors to perform steps of:”.
For similar reasons as explained above with regard to claim 1, under Step 2A, prong two, these additional elements are merely applying generic computer components to implement the abstract idea. Under Step 2B, when viewing the additional elements individually and in combination, the additional elements do not amount to an inventive concept amounting to significantly more than the judicial exception itself as the claimed computer-related technologies are mere tools for implementing the abstract idea as explained with regard to claim 1.
Dependent claims 2-9, 11-18, and 20 merely limit the abstract idea and do not recite any further additional elements beyond the cited abstract idea and the elements addressed above, thus, they do not amount to significantly more. The dependent claims are abstract for the reasons presented above because there are no additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Thus, the dependent claims are directed to an abstract idea. (Step 2B: No)
Therefore, claims 1-20 are not patent-eligible.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA 35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. § 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-3, 5-12, and 14-20 are rejected under 35 U.S.C. § 102(a)(1) as being anticipated by Stiansen, U.S. Patent Application Publication Number 2016/0044054.
As per claim 1,
Stiansen explicitly teaches:
A computer-implemented method for predicting advanced persistent threats (APTs) in a network, the method comprising: obtaining data including virtual currency transactions that are potentially associated with malicious activity;
(Stiansen US20160044054 at paras. 27-29, 159) ("[0027] In another aspect, described herein, among other things, is a system for reducing the security risk of transactions with a computer over a computer network comprising: a computer network; a first computer on the computer network having a first computer network address and communicating with a second computer on the computer network; a communication between said first computer and said second computer being indicative of a user of the first computer being engaged in a risk activity and including the first computer network address;" [0159] "risk activity is categorized by the technological facets of the IP Address causing suspicious, including but not limited to: open proxies; open relays; brute force attempts; use of bogons; use of botnets; bitcoin and other virtual currency transactions;")
de-anonymizing at least a portion of the virtual currency transactions to identify originating or receiving endpoints;
(Stiansen US20160044054 at paras. 27-29, 159) ("[0027] a monitoring system on the computer network having one or more monitoring agents autonomously obtaining the first computer network address from the communication; one or more algorithms assigning a risk score to transactions over the computer network from the first computer network address, the risk based at least in part on the communication; wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer.")
analyzing the de-anonymized virtual currency transactions to determine a threat index for a subscribed entity, wherein the threat index indicates a likelihood of an APT; and
(Stiansen US20160044054 at paras. 22, 27-29, 127, 159) ("[0027] a monitoring system on the computer network having one or more monitoring agents autonomously obtaining the first computer network address from the communication; one or more algorithms assigning a risk score to transactions over the computer network from the first computer network address, the risk based at least in part on the communication; wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer." "[0127] These data sources are used, for example, to identify Martian packets and bogons. Any method is used to collect this third party data (12), including without limitation by subscription, by request, or through the use of automated or semi-automated processes such as collection agents (10). In an embodiment, third party data (12) is stored in a database (14).")
one or more of i) notifying the subscribed entity of the likelihood of the APT or ii) triggering one or more mitigation actions in the network, based on the threat index.
(Stiansen US20160044054 at paras. 27-29, 74, 156, 159, 163-165) ("[0027] wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer." "[0074] When a risky activity is detected, the traffic is blocked or cleaned, and a system administrator is notified.")
As per claim 2,
Stiansen explicitly teaches:
further comprising updating the threat index after the one or more mitigation actions which reduce an impact of the APT on the subscribed entity.
(Stiansen US20160044054 at paras. 27-29, 74, 156, 159, 163-165) ("[0163] In some embodiments, the template/darklist is updated regularly or irregularly. In certain embodiments, the template/darklist is updated automatically by a configuration device, wherein the configuration device is on the local computer network or is remote to the computer network. [0164] In additional embodiments, the plurality of the data entries further comprise one or more of the following: one or more Internet protocol addresses, geolocation information, one or more categories, one or more communication protocols used, and one or more risk scores. [0165] In some embodiments, the template/darklist is configured or defined by a user. The list associated with risky activities/addresses is called blacklist; the list associated with non-risky activities/addresses is called white list.")
As per claim 3,
Stiansen explicitly teaches:
wherein the triggering the one or more mitigation actions includes adjusting at least one network operating parameter for the subscribed entity.
(Stiansen US20160044054 at paras. 27-29, 74, 156, 159, 163-165) ("[0027] wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer." "[0074] When a risky activity is detected, the traffic is blocked or cleaned, and a system administrator is notified." "[0163] In some embodiments, the template/darklist is updated regularly or irregularly. In certain embodiments, the template/darklist is updated automatically by a configuration device, wherein the configuration device is on the local computer network or is remote to the computer network. [0164] In additional embodiments, the plurality of the data entries further comprise one or more of the following: one or more Internet protocol addresses, geolocation information, one or more categories, one or more communication protocols used, and one or more risk scores. [0165] In some embodiments, the template/darklist is configured or defined by a user. The list associated with risky activities/addresses is called blacklist; the list associated with non-risky activities/addresses is called white list.")
As per claim 5,
Stiansen explicitly teaches:
wherein the adjusting the at least one network operating parameter includes changing a service priority.
(Stiansen US20160044054 at paras. 156, 213-216) ("[0216] The appliance and system were able to provide (a) real-time delivery of fraud and security intelligence data; (b) configurable live scores that enable true risk prioritization; (c) integration through a simple API to let network managers easily configure the security policy; (d) powerful and visualized analytics that provide rich and comprehensive reporting data; (e) geolocation filter scoring and transaction blocking by geographical attributes; (f) flexible risk categories that let network managers configure rules and polices unique to their business." "[0156] By way of example and not limitation, the customer determines that IP Addresses with a botnet risk score of 75 or higher should be filtered out and connections prohibited. However, a smaller enterprise have less bandwidth and less tolerance for mischief, and determine that an IP Address presenting a botnet risk score of 40 or higher should be filtered out and the connection prohibited.")
As per claim 6,
Stiansen explicitly teaches:
wherein the adjusting the at least one network operating parameter includes increasing service monitoring.
(Stiansen US20160044054 at paras. 27-29, 74, 156, 159, 163-165) ("[0027] wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer." "[0074] When a risky activity is detected, the traffic is blocked or cleaned, and a system administrator is notified." "[0163] In some embodiments, the template/darklist is updated regularly or irregularly. In certain embodiments, the template/darklist is updated automatically by a configuration device, wherein the configuration device is on the local computer network or is remote to the computer network. [0164] In additional embodiments, the plurality of the data entries further comprise one or more of the following: one or more Internet protocol addresses, geolocation information, one or more categories, one or more communication protocols used, and one or more risk scores. [0165] In some embodiments, the template/darklist is configured or defined by a user. The list associated with risky activities/addresses is called blacklist; the list associated with non-risky activities/addresses is called white list.")
As per claim 7,
Stiansen explicitly teaches:
further comprising correlating the de-anonymized virtual currency transactions with other data to refine the threat index.
(Stiansen US20160044054 at paras. 159, 213-219) ("[0219] This example included a system/appliance that comprised a big data analytics platform. Over 1,500 different threat and risk factors were used to deliver a live risk score and deep contextual information providing visibility into the threat profile of any public IP address. Delivered in milliseconds via a global high-speed delivery platform, the system/appliance provided a proprietary IP address risk grading—the IPQ score—and detailed threat context that enable highly effective solutions for online fraud prevention and protection from cyber attacks including zero-day exploits and APTs.")
As per claim 8,
Stiansen explicitly teaches:
wherein the threat index is computed as a weighted function of the de-anonymized virtual currency transactions and the other data.
(Stiansen US20160044054 at paras. 137-145, 159) ("[0141] In an embodiment, the rating system (18) operates in real time. In an embodiment, the rating engine weighs and compares different factors to arrive at a numerical assessment of the severity of risk presented by a given IP Address, as well as the risk categories for that risk activity. Because the present systems and methods are designed to be “learning” systems, a complete examination of the weighing and balancing of these factors is impossible, but some illustrative, but not limiting, examples are provided herein, such as in FIG. 2.")
As per claim 9,
Stiansen explicitly teaches:
wherein the obtaining the data includes receiving virtual currency transaction information from a monitoring gateway configured to detect patterns indicative of short-burst, suspicious transaction activity.
(Stiansen US20160044054 at paras. 12-14, 226-228, 159) ("[0013] In addition to obscuring the true source of the malicious behavior, bots also allow malefactors to carry out attacks not otherwise possible on the shoestring budget of a cybercriminal. For example, governments and large corporations usually have substantial bandwidth available to handle Internet traffic and use sophisticated load balancers to route incoming traffic to idle resources which promptly services the connection. No one individual computer on commodity hardware has the horsepower to take down this kind of corporate network. However, in some embodiments the wrongdoer utilizes a “bot herder” program to organize millions of zombies into a “botnet” and coordinate a simultaneous distributed attack on a single system. The botnet floods the victim network with traffic that appears innocent but quickly brings the system to its knees, causing legitimate users to receive a “timeout” message stating that the web site is too busy to serve them. This type of attack is known as Distributed Denial of Service (“DDoS”) attack." "[0227] Emulating many different types of network infrastructure, protocols, and services, the system/appliance created 6-7 million concurrent transactions at any given time.")
As per claim 19,
Stiansen explicitly teaches:
A network element in a network, the network element comprising circuitry configured to provide network services to a subscribed entity, obtain a threat index for the subscribed entity that is indicative of likelihood of an advanced persistent threat (APT), and
(Stiansen US20160044054 at paras. 22, 27-29, 127, 159) ("[0027] a monitoring system on the computer network having one or more monitoring agents autonomously obtaining the first computer network address from the communication; one or more algorithms assigning a risk score to transactions over the computer network from the first computer network address, the risk based at least in part on the communication; wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer." "[0127] These data sources are used, for example, to identify Martian packets and bogons. Any method is used to collect this third party data (12), including without limitation by subscription, by request, or through the use of automated or semi-automated processes such as collection agents (10). In an embodiment, third party data (12) is stored in a database (14).")
perform one or more mitigation actions related to the subscribed entity, based on the threat index,
(Stiansen US20160044054 at paras. 27-29, 74, 156, 159, 163-165) ("[0027] wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer." "[0074] When a risky activity is detected, the traffic is blocked or cleaned, and a system administrator is notified.")
wherein the threat index is determined based on analyzing virtual currency transactions that are potentially associated with malicious activity, and
(Stiansen US20160044054 at paras. 27-29, 159) ("[0027] In another aspect, described herein, among other things, is a system for reducing the security risk of transactions with a computer over a computer network comprising: a computer network; a first computer on the computer network having a first computer network address and communicating with a second computer on the computer network; a communication between said first computer and said second computer being indicative of a user of the first computer being engaged in a risk activity and including the first computer network address;" [0159] "risk activity is categorized by the technological facets of the IP Address causing suspicious, including but not limited to: open proxies; open relays; brute force attempts; use of bogons; use of botnets; bitcoin and other virtual currency transactions;")
de-anonymizing at least a portion of the virtual currency transactions to identify originating or receiving endpoints.
(Stiansen US20160044054 at paras. 27-29, 159) ("[0027] a monitoring system on the computer network having one or more monitoring agents autonomously obtaining the first computer network address from the communication; one or more algorithms assigning a risk score to transactions over the computer network from the first computer network address, the risk based at least in part on the communication; wherein the monitoring system utilizes the risk score to inhibit a communication between the first computer and a third computer.")
As per claim 20,
Stiansen explicitly teaches:
wherein the one or more mitigation actions include one or more of increasing network bandwidth, changing a service priority, or increasing service monitoring.
(Stiansen US20160044054 at paras. 27-29, 74, 156, 159, 163-165, 213-216) ("[0216] The appliance and system were able to provide (a) real-time delivery of fraud and security intelligence data; (b) configurable live scores that enable true risk prioritization; (c) integration through a simple API to let network managers easily configure the security policy; (d) powerful and visualized analytics that provide rich and comprehensive reporting data; (e) geolocation filter scoring and transaction blocking by geographical attributes; (f) flexible risk categories that let network managers configure rules and polices unique to their business." "[0156] By way of example and not limitation, the customer determines that IP Addresses with a botnet risk score of 75 or higher should be filtered out and connections prohibited. However, a smaller enterprise have less bandwidth and less tolerance for mischief, and determine that an IP Address presenting a botnet risk score of 40 or higher should be filtered out and the connection prohibited.")
Claim 10 is substantially similar to claim 1, thus, it is rejected on similar grounds.
Claims 11-18 are substantially similar to claims 2-19, thus, they are rejected on similar grounds.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA 35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Stiansen, U.S. Patent Application Publication Number 2016/0044054; in view of Joll, U.S. Patent Application Publication Number 2014/0157405.
As per claim 4,
Stiansen does not explicitly teach, however, Joll does teach:
wherein the adjusting the at least one network operating parameter includes increasing network bandwidth.
(Joll US20140157405 at paras. 148-150) ("[0149] As indicated earlier, the invention relies primarily on observing network traffic and developing baselines of expected flows and inventories of host characteristics. Desirably, the invention is configured to automatically update its baselines on an ongoing basis. As a result, there is not significant tuning or customization to be performed, other than updating firewall rule set-like policies that are offered by most products. Also, administrators may wish to adjust thresholds periodically (e.g., how much additional bandwidth usage should trigger an alert) to take into account changes to the environment. Thresholds can often be set on a per-host basis or for administrator-defined groups of hosts. The invention offers whitelist and blacklist capabilities for hosts and service and is customizable for each alert (e.g., specifying which prevention option it should trigger).")
Therefore, it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stiansen and Joll, because it allows for an improved scalable cyber-security system and architecture for the identification of malware and malicious behavior in a computer network. (Joll at Abstract and paras. 2-36).
Claim 13 is substantially similar to claim 4, thus, it is rejected on similar grounds.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure and is available for review on Form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MERRITT J HASBROUCK whose telephone number is (571)272-3109. The examiner can normally be reached M-F 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine Tran can be reached on 571-272-8103. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MERRITT J HASBROUCK/Examiner, Art Unit 3695
/CHRISTINE M Tran/Supervisory Patent Examiner, Art Unit 3695