DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-22 are pending and have been examined.

Priority
3.	Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Claim Rejections - 35 USC § 101
4.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


5.	Claim 19 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because, while directed to a system i.e., an apparatus, the claim fails to positively recite any hardware element. 
	The Applicant’s instant Specification does not limit the processor of claim 19 to any hardware embodiment. Additionally, paragraph [0066] of the instant Specification indicates that the functions of the processor of claim 1 may be carried out by a software security module. 

Claim Rejections - 35 USC § 112
6.	The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.


7.	Claim 22 is rejected under 35 U.S.C. 112(d) as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 22 fails the infringement test since it does not require all of the elements of the claim upon which it depends. One may possess the medium of claim 22 without performing the method of claim 1 upon which it depends. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

8.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


9.	Claims 1-18 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.

10.	Claims 1, 6, 8, 10, 14, 15 listed below recite limitations for which there is insufficient antecedent basis for the limitations in the claims:

		…the one or more client computer devices…
Claim 6	...the one or more client computer devices…
Claim 8	…the running application…
Claim 10	…the associated application…
		…the one or more client computer devices…
Claim 14	…the running application…
Claim 15	…the running application…
…the characteristic action…
…a further malware scan… (no previous malware scan has been 
performed)

11.	Claim 15 recites the limitation: “performing a further malware scan on the application’. It is not clear which application is being referred to and therefore the claim is indefinite as a result. 

12.	Claims 2-5, 7, 9, 11-13, and 16-18 are dependent form claims 1 and 10 and do not cure their deficiency, therefore they are rejected on the same basis as claims 1 and 10.

Claim Rejections - 35 USC § 102
13.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 

14.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


15.	Claims 1, 2, 6-8, 10, 11, 13-16, and 19-22 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Salajegheh et al. US 2016/078347 A1 (Cited in the Applicant’s IDS). Salajegheh teaches:

	As for claim 1, a method of application behavior control on a computer system (abstract, [0003]), the method comprising:
a) grouping applications into a set of clusters, wherein each application is grouped to a specific cluster on the basis of predefined event profiles for applications in the specific cluster, each event profile identifying one or more procedures known to be performed by the associated application (fig. 6, [0126]: processing core may identify software applications that should be analyzed together as a group, reading on a cluster, where the grouping may be determined based on a determination being made that the 
b) monitoring procedures that a specific cluster performs on one or more computer devices (fig. 6, [0126]: processing core may monitor the activities of the identified applications); and
c) generating a list of expected events and prohibited events of the specific cluster based on monitoring ([0126]: the processing core may collect behavior information for each of the monitored activities, reading on a listing of expected events and prohibited events of a specific cluster) for enabling the one or more client computer devices and/or an administrator of the one or more client computer devices to take further action related to the applications installed on the one or more client computer devices ([0126]: the processing core may generate a behavior vector that characterizes the collective behavior of the identified applications based on the collected behavior information, the processing core may then apply the behavior vector to a classifier model to generate analysis information to determine whether the collective behavior of the identified applications is benign). 
 
As for claim 2, a method according to claim 1, wherein a group of applications in a cluster includes multiple versions of the same application and/or similar applications 
having at least similar event profiles ([0003]: the behavior of a plurality of applications is evaluated, fig. 6, [0126]: processing core may identify software applications that should be analyzed together as a group, reading on a cluster, where the grouping may be determined based on a determination being made that the applications are colluding or 

As for claim 6, a method according to claim 1, the method further comprising providing the generated list of expected events and prohibited events of the specific cluster to one or more client computer devices and/or the administrator for enabling 
the one or more client computer devices to allow the expected events and to block prohibited events of the applications installed on the one or more client computer devices and/or for enabling an administrator of the one or more client computer devices to manage an application inventory used to control the applications installed on the one or more client computer devices (fig. 11 element 1118, [0148]: device processor may determine whether suspicious behaviors determined as per [0147] can be identified or corrected based on the results of behavioral analysis, processor may initiate a process to correct the behavior such as by restricting a process as shown in fig. 11 element 1118).

As for claim 7, a method according to claim 1, wherein said procedures include any one or more of: establishment of a secure session; communication over a secure 
session; file operations; registry operations; memory operations ([0055]: behavioral monitoring and analysis system may monitor operations such as memory read/write operations); network operations. 
 

API calls made by the running application ([0085]: behavior observer module may be configured to monitor library API calls, system call APIs);
information made available to plugins of the running application;
actions relating to Browser Helper Objects;
 file access operations performed by the running application [0085];
network operations performed by the running application [0085];
encrypted communications sent by the running application.

As for claims 10, 11, and 13, these claims are drawn to a method corresponding to the methods of claims 1, 2, and 7. Claims 10, 11, and 13 recite substantially the same limitations as do claims 1, 2, and 7 and are rejected on the same basis.
Claim 10 differs from claim 1 in referring to “installed applications” versus “applications” in claim 1. Salajegheh teaches this feature at paragraph [0126] where applications are evaluated as they execute on a device, reading on installed.

As for claim 14, a method according to claim 10, wherein the expected and/or prohibited events include one or more of:
system files created under program files;  
registry launch points modified;
UAC elevation requests;
downloading remote files;

modifying user files;
installing drivers and services;
API calls made by the running application ([0085]: behavior observer module may be configured to monitor library API calls, system call APIs);
information made available to plugins of the running application;
actions relating to Browser Helper Objects;
file access operations performed by the running application [0085];  
network operations performed by the running application [0085];
encrypted communications sent by the running application. 
 
As for claim 15, a method according to claim 10, wherein in addition to blocking prohibited events, the method further comprises handling the running application by one or more of: terminating a process of the running application (fig. 11 element 1118, [0148]: device processor may determine whether suspicious behaviors determined as per [0147] can be identified or corrected based on the results of behavioral analysis, processor may initiate a process to correct the behavior such as by restricting a process as shown in fig. 11 element 1118); terminating the characteristic action or an action resulting from the characteristic action (fig. 11 element 1118, [0148]: device processor may determine whether suspicious behaviors determined as per [0147] can be identified or corrected based on the results of behavioral analysis, processor may initiate a process to correct the behavior such as by restricting a process as shown in fig. 11 
 
As for claim 16, a method according to claim 10, wherein taking the further action 
comprises: allowing the expected events and blocking prohibited events of the 
applications installed on the one or more client computer devices (fig. 11 element 1118, [0148]: device processor may determine whether suspicious behaviors determined as per [0147] can be identified or corrected based on the results of behavioral analysis, processor may initiate a process to correct the behavior such as by restricting a process as shown in fig. 11 element 1118) and/or managing an application inventory used to control the applications installed on the one or more client computer devices. 

As for claims 19, 20, and 22, these claims are drawn to the computer system, server, and computer program-product embodied in a non-transitory storage medium, respectively, that correspond to the method of claim 1. Claims 19, 20, and 22 recite substantially the same limitations as claim 1 and are rejected on the same basis.

As for claim 21, the server according to claim 20, the processor being further configured to send the generated list of expected events and prohibited events of the 
specific cluster to one or more client computer devices ([0098]: a server may download a classifier model, i.e., a behavior model, reading on a list of expected events and prohibited events, to a device).

Claim Rejections - 35 USC § 103
16.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

17.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


18.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

19.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was 

20.	Claims 3, 4, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Salajegheh, and Park US 2016/0378989 A1.

 	As for claim 3, Salajegheh teaches the method according to claim 1. Park, in analogous prior art, teaches the features not taught by Salajegheh wherein the step of grouping applications into the set of clusters comprises one or more of: obtaining installation packages from a vendor ([0016]: behavior information is collected from an application during installation), crowdsourcing meta data of application files from the one or more client computer devices, querying product descriptions of the 
applications and using text classification.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Salajegheh. It would have been desirable to do so since collection of such information at the time of installation of an application would enable an administrator to detect potentially malicious code before it has executed, thereby enhancing the effectiveness and utility of  Salajegheh’ s invention. 

	As for claim 4, Salajegheh teaches the method according to claim 1. Park, in analogous prior art, teaches the features not taught by Salajegheh wherein the procedures related to an event profile comprise one or more of: creating and modifying system files and settings; installing, updating, and removing system components ([0016]: behavior information is collected from an application during installation or deletion), modifying other applications; registering application automatic start launch points; requesting user elevation; creating system files; creating and modifying user files; running other processes; loading of specific modules; receiving data from specific remote host computers; downloading files; opening a local server.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Salajegheh. It would have been desirable to do so since collection of such information at the time of installation of an application would enable an administrator to detect potentially malicious code before it has executed, thereby enhancing the effectiveness and utility of  Salajegheh’ s invention.

As for claim 12, this claim is drawn to a method that corresponds to the method of claim 4. Claim 12 recites substantially the same limitations as claim 4 and is rejected on the same basis.

20.	Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Salajegheh, and Kirkpatrick US 2012/0233165 A1.

 	As for claim 5, Salajegheh teaches the method according to claim 1. Kirkpatrick, in analogous prior art teaches the additional features not taught by Salajegheh further comprising discovering procedures of an application by one or more of: executing the application in a controlled sandbox ([0042]: a behavior analyzer module will analyze the manner in which an application operates in a sandbox. This information will be supplied to a similarity module as per [0046] which uses it to identify similar applications), receiving events from crowdsourcing, static analyzing of the application components. 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Salajegheh. It would have been desirable to do so since collection of such information while limiting an application to execution in a sandbox  would enable an administrator to detect potentially malicious code before without is having executed on a device, thereby enhancing the security and utility of  Salajegheh’ s invention.
 
21.	Claims 9, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Salajegheh, and Aziz US 10,462,173.

As for claim 9, Salajegheh teaches the method according to claim 1. Aziz, in analogous prior art teaches the additional features not taught by Salajegheh wherein the method further comprises generating the event profile for the applications in the specific cluster by one or more of: monitoring the behavior of the application running on a plurality of client computer devices and identifying procedures and respective 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Salajegheh. It would have been desirable to do so since collection of such information from a plurality of devices, and subjecting a suspicious object to static analysis would enhance the accuracy of malware detection and thereby increase utility and hence marketability of Salajegheh’ s invention.

As for claim 17, Salajegheh teaches a method according to claim 10. Aziz teaches the additional features not taught by Salajegheh wherein the step of matching installed applications with predetermined set of clusters further comprises: computing application file hashes and querying backend server computer for the cluster data (col. 18 line 24 through col. 19 line 25: an endpoint device will process an object and identify features of the object. If malicious features are detected, the object or an identifier of the object, reading on metadata, is provided over a network to a malware detection system where it is analyzed by static analysis, col. 10 lines 8-36: a fingerprint or hash of the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Salajegheh. It would have been desirable to do so since comparison of a hash of a suspicious application to a database comprising hashes of known malware applications would enhance the accuracy of malware detection and thereby increase utility and hence marketability of Salajegheh’ s invention.

As for claim 18, Salajegheh teaches the method according to claim 10. Aziz teaches the steps not taught by Salajegheh wherein the step of matching installed applications with predetermined set of clusters further comprises: querying backend server computer with meta data and/or fuzz hash of the application (col. 18 line 24 through col. 19 line 25: an endpoint device will process an object and identify features of the object. If malicious features are detected, the object or an identifier of the object, reading on metadata, is provided over a network to a malware detection system where it is analyzed by static analysis).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Salajegheh. It would have been desirable to do so since Aziz’s step of querying a backend server with metadata of a suspicious object would enhance the accuracy of malware detection in Salajegheh’ s system and would thereby increase utility and hence marketability of Salajegheh’ s invention.

Conclusion
22.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL E CALLAHAN whose telephone number is (571)272-3869.  The examiner can normally be reached on M-Th; Tu-F: 8am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PAUL E CALLAHAN/Examiner, Art Unit