Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
In communications filed on 12/24/2020, claims 1-20 are presented for examination. Claims 1, 14, and 20 are independent.
Amended claim(s): 1, 14, and 20.
Double patenting rejection is withdrawn in view of the TD filed 12/24/20.
Applicants’ arguments, see Applicant Arguments/Remarks filed 12/24/20, with respect to claim(s) rejected under prior art have been considered but are not persuasive as secondary reference Gupta (US 20150356451 A1) teaches deriving and extracting various features related to applications including attribute features and behavioral features that include actions 
  
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-8 and 12-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20110023118 A1 (hereinafter Wright) disclosed in the IDS in view of US 20150356451 A1 (hereinafter Gupta) disclosed in the IDS.

claim 1, Wright (US 20110023118 A1) discloses: A method comprising: providing an application firewall deployed at a gateway and in communication with an endpoint through a network; (Wright: ¶39-¶42, i.e., the threat management facility and the detection facility monitoring the endpoints; ¶47-¶48, i.e., the personal firewall and the network firewall)
monitoring an application executing on the endpoint; (Wright: ¶20, ¶47, i.e., monitoring application execution)
on the endpoint and in response to a first observed action of the application, coloring the application with a descriptor of a context for the first observed action, the first observed action corresponding to access of a resource of the endpoint, and the descriptor…for a relevance to threat detection; (Wright: ¶20, ¶23, ¶57-¶65, collecting multiple observed behaviors (i.e., first, second, third) wherein each behavior is a particular gene associated with a malicious behavior, and tagging one or more genes as a phenotype i.e., descriptor, indicating malicious or suspicious application)
However, Wright does not explicitly disclose: a target action and a reportable event count of occurrences of the target action. However, in analogous art, Gupta (US 20150356451 A1) teaches deriving and extracting various features related to applications including attribute features and behavioral features that include actions performed by the application and 
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify Wright to include application attribute and behavioral features that include actions performed by the application and numbers of times the actions performed as taught by Gupta with the motivation to classify applications whether they are benign, malicious, or performance degrading (Gupta: Abstract, Fig. 2, ¶4, ¶36-¶37, ¶56-¶75) 
Wright et al combination further discloses: applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a number of occurrences of the target action by the application that exceeds the reportable event count of occurrences indicated by the descriptor; (Wright: ¶6-¶7, ¶20, ¶23, ¶26, i.e., applying policy rules based on the identified behavior to mitigate the behavior, ¶32m ¶57-¶65, collecting multiple observed behaviors (i.e., first, second, third) wherein each behavior is a particular gene associated with a malicious behavior, and tagging one or more 
communicating the reportable event through the network from the endpoint to the application firewall; and (Wright: ¶20-¶21, ¶38, ¶39, ¶47) 
limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event. (Wright: ¶20-¶21, ¶38, ¶39, ¶47-¶48)

Claims 14 and 20 recite substantially the same features recited in claim 1 above; and are rejected based on the aforementioned rationale in the rejection.

As regards claim 2, Wright et al combination discloses the method of claim 1, further comprising applying firewall rules based on a reputation of the application when the application launches. (Wright: ¶20, ¶23, ¶36)

Claim 15 recites substantially the same features recited in claim 2 above; and is rejected based on the aforementioned rationale in the rejection.

claim 3, Wright et al combination discloses the method of claim 1, further comprising changing an access rule for the endpoint based upon the reportable event. (Wright: ¶28, ¶30)

Claim 16 recites substantially the same features recited in claim 3 above; and is rejected based on the aforementioned rationale in the rejection.

As regards claim 4, Wright et al combination discloses the method of claim 1, wherein the endpoint is at least one of a web server or a client device. (Wright: Fig. 1, ¶17, ¶20, ¶21)

Claim 17 recites substantially the same features recited in claim 4 above; and is rejected based on the aforementioned rationale in the rejection.

As regards claim 5, Wright et al combination discloses the method of claim 1, wherein the rule depends on a plurality of observed actions on the endpoint. (Wright: ¶6-¶7, ¶20, ¶23, ¶26, i.e., applying policy rules based on the identified behavior to mitigate the behavior, ¶32m ¶57-¶65, collecting multiple observed behaviors (i.e., first, second, third) wherein each behavior is a particular gene associated with a malicious 

Claim 18 recites substantially the same features recited in claim 5 above; and is rejected based on the aforementioned rationale in the rejection.

As regards claim 6, Wright et al combination discloses the method of claim 1, wherein the application firewall is included on the endpoint. (Wright: ¶39-¶42, i.e., the threat management facility and the detection facility monitoring the endpoints; ¶47-¶48, i.e., the personal firewall and the network firewall)

As regards claim 7, Wright et al combination discloses the method of claim 1, wherein the application firewall is included on a destination server. (Wright: ¶39-¶42, i.e., the threat management facility and the detection facility monitoring the endpoints; ¶47-¶48, i.e., the personal firewall and the network firewall)

As regards claim 8, Wright et al combination discloses the method of claim 1, wherein the application firewall is included as part of a routing of the network. (Wright: ¶39-¶42, ¶47-¶48)

claim 12, Wright et al combination discloses the method of claim 1, further comprising coloring data on the endpoint, wherein the transmission of data from the endpoint includes transmission of the colored data. (Wright: ¶20, ¶23, ¶57-¶65)

As regards claim 13, Wright et al combination discloses the method of claim 12, wherein coloring data is in response to the first observed action. (Wright: ¶20, ¶23, ¶57-¶65)

As regards claim 19, Wright et al combination discloses the computer program product of claim 14, wherein the computer executable code further performs the step of coloring data on the endpoint, and the transmission of data from the endpoint includes transmission of the colored data. (Wright: ¶20, ¶23, ¶57-¶65)

Claims 9-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wright in view of Gupta in view of US 20150121449 A1 (hereinafter CP) disclosed in the IDS.

As regards claim 9, Wright et al combination discloses the method of claim 1. However, Wright et al do not but in analogous art, CP (US 20150121449 A1) teaches: wherein the descriptor 
Before the effective date of the invention, it would have been obvious to one of ordinary skill in the art to modify Wright et al to include metadata about an object that includes object identifier as taught by CP with the motivation to identify whether the identified object is benign or good (CP: ¶39)

As regards claim 10, Wright et al combination discloses the method of claim 9, wherein the object is the application. (Wright: ¶20, ¶47)

As regards claim 11, Wright et al combination discloses the method of claim 9, wherein the object is an item accessed by the application. (Wright: ¶20-¶21)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995.  The examiner can normally be reached on Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SYED A ZAIDI/Primary Examiner, Art Unit 2432