DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6 July 2020 has been considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because the can be reasonably interpreted as being directed to software.  Claim 8 recites a system whose only recited element is a processor. Under the BRI, a processor can be interpreted as either software or hardware, and a claim whose only recited element is software does not fall 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-5, 8-12 and 15-19 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-7 of copending Application No. 16/173405 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘405 application anticipate the claims of the instant application.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
As to claims 1, 8 and 15, the ‘405 Application discloses a method for correlating malware detections by endpoint devices and servers, comprising (Claim 7: The method of claim 6, further comprising): 
sending, by the server of the sandbox, the events of Types A and B and the final verdict to a correlator); 
correlating, by the correlator, the one or more events collected without invasive techniques with the one or more events collected using the one or more invasive techniques (Claim 7: correlating the collected events of Types A and B; for events of Type A that are correlated with events of Type B used to detect malwares); 
creating, by the correlator, a suspicious pattern, when an event of the one or more events collected without invasive techniques is correlated with an event of the one or more events collected using the one or more invasive techniques, and the event of the one or more events collected using the one or more invasive techniques is used to detect a malware (Claim 7: creating suspicious patterns of events of Type A); and 
updating, by the correlator, databases of one or more endpoint devices with created suspicious patterns (Claim 7: updating malware detection models of one or more endpoint devices and one or more servers of the sandbox based on results of the correlation, wherein the updating includes at least distributing the created suspicious patterns to the one or more endpoint devices and the one or more servers of the sandbox, the endpoint device being protected from the malwares being one of the one or more endpoint devices to which the created suspicious patterns are distributed).
As to claims 2, 9 and 16, the ‘405 Application discloses the method of claim 1, wherein each final verdict is issued by a server of the one or more servers in response to receiving a sample of a process from an endpoint device of the one or more endpoint The method of claim 1, the final verdict being determined by a deep dynamic analysis tool of a server of the sandbox by: collecting events of Types A and B for the sample; and analyzing the collected events of Type B using one or more detection models of the deep dynamic analysis tool to detect malwares, the final verdict being indicative of whether the process is the malware or clean based on a deep dynamic analysis of the events of Type B.).
As to claims 3, 10 and 17, the ‘405 Application discloses the method of claim 2, wherein the endpoint device sends the request for the final verdict to the server when the process is determined as being a suspicious pattern based on a light dynamic analysis by the endpoint device (Claim 1: performing, by the light analysis tool of the endpoint device, a light dynamic analysis of the received sample when the process is not determined as being the malware based on the performed light static analysis; when the process is determined as being clean based on the light dynamic analysis).
As to claims 4, 11 and 18, the ‘405 Application discloses the method of claim 1, further comprising: updating, by the correlator, databases of the one or more servers with results of the correlation (Claim 7: updating malware detection models of one or more endpoint devices and one or more servers of the sandbox based on results of the correlation, wherein the updating includes at least distributing the created suspicious patterns to the one or more endpoint devices and the one or more servers of the sandbox, the endpoint device being protected from the malwares being one of the one or more endpoint devices to which the created suspicious patterns are distributed).  
claims 5, 12 and 19, the ‘405 Application discloses the method of claim 1, wherein the one or more servers serve one or more sandboxes (Claim 7: updating malware detection models of one or more endpoint devices and one or more servers of the sandbox based on results of the correlation, wherein the updating includes at least distributing the created suspicious patterns to the one or more endpoint devices and the one or more servers of the sandbox, the endpoint device being protected from the malwares being one of the one or more endpoint devices to which the created suspicious patterns are distributed).  

Allowable Subject Matter
Claims 6-7, 13-14 and 20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and for claims 13 and 14, resolution of the above 35 U.S.C. 101 rejection.

Priority
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. Patent Application Publication No. 2006/0242703 by Abeni discloses generating patterns that can be used to determine if the pattern is suspect or not
U.S. Patent Application Publication No. 2007/0294271 by Bammi et al. discloses detecting suspicious patterns in data
U.S. Patent Application Publication No. 2016/0381042 by Zhang discloses generating and learning suspicious patterns

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599.  The examiner can normally be reached on Monday-Friday, 8:30 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469)295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MICHAEL S. MCNALLY
Primary Examiner
Art Unit 2432



/Michael S McNally/Primary Examiner, Art Unit 2432