Obviousness

Obviousness Analysis of US Patent 8635697 under 35 U.S.C. § 103

This analysis identifies combinations of prior art references that would render the independent claims (1, 15, and 24) of US patent 8635697 obvious to a person having ordinary skill in the art (POSITA) as of the patent's filing date (April 8, 2011). The motivation for combining these references will also be explained.

The core inventive concept of US8635697, as reflected in its independent claims, involves network-based malware detection combined with operating system (OS) identification from network traffic, where the OS ID is included in a generated alert to facilitate targeted remediation. The patent specifically addresses the challenge of identifying individual infected devices behind Network Address Translation (NAT) devices.

Prior Art References Considered:

1. US7627898B2 to Microsoft Corporation (hereinafter "Microsoft"): Titled "Method and system for detecting infection of an operating system," this patent was published on December 1, 2009.
2. US8020211B2 to Ncircle Network Security, Inc. (hereinafter "Ncircle"): Titled "Network security system having a device profiler communicatively coupled to a traffic monitor," this patent was published on September 13, 2011, but claims priority to an application filed on August 25, 2000, making it prior art to US8635697.

Combination 1: Microsoft (US7627898B2) in view of Ncircle (US8020211B2)

This combination renders independent claims 1, 15, and 24 obvious.

Reasoning for Obviousness:

Microsoft (US7627898B2) teaches a system and method for network-based malware detection and alert generation. Specifically, it discloses a "network monitor detects network intrusions and malicious software activity (e.g., malware or spyware). If malicious software activity is detected, an alert server sends an alert message." This reference thus teaches:

• Receiving network packets (implicitly, by a "network monitor" detecting activity).
• Determining if malware is present by detecting "malicious software activity", which a POSITA would understand to involve comparing traffic against malware signatures or similar detection rules.
• Generating an alert message when malware is detected.

However, Microsoft does not explicitly teach determining an OS ID and including it in the malware alert. The background of US8635697 highlights a known problem in network-based malware detection: the difficulty of identifying a specific computing device behind a NAT device, which hinders focused remediation efforts. [cite: The authoritative patent text for US8635697B2 states this in the "Background" section and "Detailed Description" section.]

Ncircle (US8020211B2) addresses the identification of devices on a network. It teaches a "network security system having a device profiler communicatively coupled to a traffic monitor." The device profiler "determines device profile information for each device on the network, such as device type, device operating system, software services, and hardware characteristics." [cite: The authoritative patent text for US8020211B2, column 3, lines 6-9] This reference clearly teaches determining an operating system identifier (OS ID) for computing devices from network traffic.

Motivation to Combine:

A POSITA in the field of network security would have a strong motivation to combine the teachings of Microsoft and Ncircle. The problem of identifying the specific infected device behind a NAT, as recognized by US8635697, was a known challenge in network-based security. Microsoft's system detects malware and generates alerts, but without specific device or OS information, these alerts are less actionable, particularly in environments with multiple devices sharing a single external IP address via NAT.

Ncircle provides a solution for identifying the OS of devices from network traffic. By integrating Ncircle's OS identification capabilities into Microsoft's malware detection and alerting system, a POSITA would realize a significant improvement in the utility and effectiveness of the malware alerts. Including the OS ID in the alert, as enabled by Ncircle's device profiler, would allow service providers to notify subscribers about a specific type of infected OS, thereby enabling more targeted and efficient remediation (e.g., directing the user to clean "the Windows XP machine" rather than simply "a machine"). This combination directly addresses the identified need for more precise identification of infected computing devices to improve remediation processes, making the alerts more informative and valuable.

Obviousness of Independent Claims:

Claim 1 (Method Claim):

• Preamble: "A method of network based malware detection in a service provider network": Taught by Microsoft.
• a) "receiving one or more transmission control protocol (TCP) packets originating from an access device coupled to the service provider network, the one or more TCP packets defining a TCP session between a computing device coupled to the access device, and a destination coupled to the service provider network": Microsoft's network monitor and Ncircle's traffic monitor both inherently receive and analyze network packets, including TCP packets, from devices accessing a network, often via an access device with NAT.
• b) "determining an operating system identifier (OS ID) associated with the TCP session and the computing device": Explicitly taught by Ncircle's "device profiler" which determines "device operating system" information from network traffic. [cite: The authoritative patent text for US8020211B2, column 3, lines 6-9] A POSITA would understand this OS identification to be associated with the network session of the device.
• c) "determining if malware is present in the TCP session and an associated malware ID by comparing a malware signature to the one or more TCP packets": Taught by Microsoft's "network monitor detects network intrusions and malicious software activity." This implies comparing network traffic against signatures for detection.
• d) "generating an alert identifying a network address associated with the access device, the malware ID and the OS ID associated with TCP session that generated the alert": Microsoft teaches generating an alert with malware information. Given the motivation to improve alert utility, a POSITA would readily incorporate the OS ID obtained from Ncircle's teachings into this existing alert mechanism. The network address of the access device is standard information in network alerts.

Claim 15 (System Claim):
The system described in Claim 15 is an obvious architectural implementation of the method outlined in Claim 1. A POSITA would readily implement the functions described in Claim 1 using conventional network sensors (as taught by Microsoft's network monitor and Ncircle's traffic monitor and device profiler [cite: The authoritative patent text for US8020211B2, column 3, lines 6-9]), processors, and memory. The use of "a plurality of network sensors" would be a design choice to achieve network coverage, common in network security systems.

Claim 24 (Computer Readable Memory Claim):
Given that the method of Claim 1 is obvious, storing instructions for performing this method on a "computer readable memory" is a routine and obvious step for a POSITA. Software implementation of network monitoring, OS detection, and alert generation is conventional.

Conclusion

The combination of US7627898B2 (Microsoft) and US8020211B2 (Ncircle), with the clear motivation to provide more actionable intelligence in malware alerts by identifying the OS of the infected device, renders independent claims 1, 15, and 24 of US8635697 obvious under 35 U.S.C. § 103. The dependent claims, which further detail OS identification techniques (e.g., SYN packet fingerprinting and User-Agent string analysis), describe well-known methods in the art of network OS detection that would naturally be employed within Ncircle's device profiler and are thus also obvious.