DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Wright, U.S. Patent 8,776,218.

As per claim 1, it is disclosed of a system comprising:
at least one processor (col. 19, line 62 through col. 20, line 2); and
memory storing instructions that, when executed by the at least one processor, causes the system to perform a set of operations (col. 19, line 62 through col. 20, line 2), the set of operations comprising:
encountering a first instruction of a behavior rule indicating at least one event (gene), wherein the at least one event is associated with a behavior (phenotypes are a collection of genes, col. 2, lines 23-24; col. 17, lines 49-58; and col. 18, lines 4-7);
in response to encountering the first instruction, pausing execution (col. 1, lines 45-61);

processing, based on a second instruction (gene type) of the behavior rule, information associated with the event occurrence (col. 1, lines 45-65 and col. 18, lines 4-7);
encountering a third instruction (gene type) of the behavior rule, wherein the third instruction is a halt instruction indicating a determination as to the behavior has been made (col. 1, lines 45-66 and col. 18, lines 4-7); and
performing, by the system, an action (remediation) in response to the halt instruction (col. 1, line 52 through col. 2, line 10).
As per claim 2, it is taught wherein the halt instruction indicates a positive match determination as to the behavior, and wherein performing the action comprises taking a remedial action based on the determination as to the behavior (col. 1, line 52 through col. 2, line 10).
As per claim 3, it is disclosed wherein the halt instruction indicates a negative match determination as to the behavior, and wherein performing the action comprises continuing normal system execution (col. 17, lines 49-58 and col. 17, line 67 through col. 18, line 3).
As per claim 4, it is taught wherein the halt instruction indicates additional monitoring should be performed, and wherein performing the action comprises performing additional monitoring for the behavior (col. 1, line 52 through col. 2, line 10).
As per claim 5, it is disclosed wherein the event occurrence indicates that an event of the at least one event occurred (col. 19, lines 48-59).
As per claim 6, it is taught wherein the event occurrence indicates that every event of the at least one event occurred (col. 19, lines 48-59).

As per claim 8, it is taught of a system comprising:
at least one processor (col. 19, line 62 through col. 20, line 2); and
memory storing instructions that, when executed by the at least one processor, causes the system to perform a set of operations (col. 19, line 62 through col. 20, line 2), the set of operations comprising:
encountering a first instruction of a behavior rule indicating at least one event (gene) and a parameter (modifications or behaviors) for the at least one event, wherein the at least one event is associated with a behavior (phenotypes are a collection of genes, col. 2, lines 23-24; col. 17, lines 49-58; and col. 18, lines 4-7);
in response to encountering the first instruction, pausing execution (it is interpreted by the Examiner that the code instructions will resume once analyzed after being paused)(col. 1, lines 45-61);
when an event occurrence associated with the at least one event (gene type) is identified at a computing device and the event occurrence associated with the at least one event indicates that an event having the parameter indicated by the first instruction occurred, resuming execution (col. 1, lines 45-63);
processing, based on a second instruction (event type) of the behavior rule, information associated with the event occurrence (col. 1, lines 45-65 and col. 18, lines 4-7);

performing, by the computing device, an action (remediation) in response to the halt instruction (col. 1, line 52 through col. 2, line 10).
As per claim 9, it is disclosed wherein the parameter is defined an exact match for an event parameter of the at least one event (col. 1, line 52 through col. 2, line 10).
As per claim 10, it is taught wherein the parameter is defined as a regular expression indicating an inexact match for an event parameter of the at least one event (col. 19, lines 4-14 and 21-25).
As per claim 11, it is disclosed wherein the information associated with the event occurrence comprises the parameter that matched the regular expression indicating the inexact match for the event parameter of the at least one event (col. 19, lines 4-14 and 21-25).
As per claim 12, it is taught wherein the halt instruction indicates a determination selected from the group of determinations consisting of:
a positive match determination as to the behavior;
a negative match determination as to the behavior; and
an inconclusive determination indicating that additional monitoring should be performed (col. 1, lines 45-66; col. 17, lines 49-58; and col. 17, line 67 through col. 18, line 3).
As per claim 13, it is disclosed wherein the first instruction further comprises a negative indication, which indicates a negative event match that is not the event occurrence for the at least one event (col. 17, lines 49-58 and col. 17, line 67 through col. 18, line 3).
As per claim 14, it is taught of a method for executing a behavior rule to perform behavioral threat detection, comprising:

in response to encountering the first instruction, pausing execution (it is interpreted by the Examiner that the code instructions will resume once analyzed after being paused)(col. 1, lines 45-61);
when an event occurrence associated with the at least one event (gene type) is identified, resuming execution (col. 1, lines 45-63);
processing, based on a second instruction (event type) of the behavior rule, information associated with the event occurrence (col. 1, lines 45-65 and col. 18, lines 4-7);
encountering a third instruction (gene type) of the behavior rule, wherein the third instruction is a halt instruction indicating a determination as to the behavior has been made (col. 1, lines 45-66 and col. 18, lines 4-7); and
performing, by the system, an action (remediation) in response to the halt instruction (col. 1, line 52 through col. 2, line 10).
As per claim 15, it is disclosed wherein the halt instruction indicates a positive match determination as to the behavior, and wherein performing the action comprises taking a remedial action based on the determination as to the behavior (col. 1, line 52 through col. 2, line 10).
As per claim 16, it is taught wherein the halt instruction indicates a negative match determination as to the behavior, and wherein performing the action comprises continuing normal system execution (col. 17, lines 49-58 and col. 17, line 67 through col. 18, line 3).
As per claim 17, it is disclosed wherein the halt instruction indicates additional monitoring should be performed, and wherein performing the action comprises performing additional monitoring for the behavior (col. 1, line 52 through col. 2, line 10).

As per claim 19, it is disclosed wherein the event occurrence indicates that every event of the at least one event occurred (col. 19, lines 48-59).
As per claim 20, it is taught wherein the first instruction indicating the at least one event further comprises an indication of a parameter (modifications or behaviors) for the at least one event, and wherein the event occurrence associated with the at least one event indicates that an event having the parameter indicated by the first instruction occurred (col. 2, lines 23-24; col. 17, lines 49-58; and col. 18, lines 4-7).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Li et al, U.S. Patent is relied upon for disclosing of detecting of memory leaks, and performing filtering to determine certain suspicious parts of the source code that is behind the attack, see column 2, line 62 through column 3, line 3.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794.  The examiner can normally be reached on 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431