DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 26-45 are pending. Claims 26-30, 33-37 and 40-43 have been amended.
	In light of applicant’s argument, objection to the specification has been withdrawn.
	In light of the Terminal Disclaimer of 12-06-2020 the double patenting rejection of claims has been withdrawn.
Response to Arguments
	Applicant's amendments/arguments filed on 12-06-2020 have been fully considered but are moot in view of the new ground(s) of rejection.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 02-16-2021, 12-15-2020 and 10-14-200  have been considered. Please see attached PTO-1449. 
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the 

	Claims 26, 28, 33, 35, 40 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over Cudak et al. (US Patent No. 10,592,659), in view of Fahrny et al. (US Publication No. 2017/0244729).
	As per claim 26, 33 and 40, Cudak teaches a computer program product for detecting a security breach in a system managing access to a storage, the computer program product comprising a computer readable storage medium having computer readable program code embodied therein (column 1, lines 32-44) that when executed performs operations, the operations comprising: monitoring Input/output (I/O) activity by a process [program] accessing data in a storage (figure 1, block 104, column 3, lines 60-61, and column 4, lines 7-24, monitor the behavior of the application program, the behavior can include the types of data the application program accesses, when and for how long the application program accesses the data, locations of the data the application program accesses and how the application program accesses the data); determining historical I/O activity toward the data subject to the I/O activity from the process (column 5, lines 1-12,, a behavior profile of the application is constructed based on the monitored behavior profile. The behavior profile is constructed so that subsequent behavior of the application can be compared against the behavior profile); determining whether a processing rate of the I/O activity as compared to the historical I/O activity toward the data satisfies a condition (column 5, lines 15-30, from the entries of the database in which the behavior of the application program has been tracked , the frequency of access can be determined for period of time, such that how many times access to the resource in question is made every hour or every day, so that further behavior can be compared against the profile) and characterizing the process column 7, liens 19-41and column 9, lines 24-32, in response to determining that the application program has engaged in behavior that deviates from the behavior profile the behavior is notified as being suspicious). While Cudak teaches suspicious process, Cudak does not explicitly teach indicating a security breach in response to characterizing the process as the suspicious process. However, in an analogous art, Fahrny teaches indicating a security breach in response to characterizing the process as the suspicious process (paragraph [0051], a triggering event include detecting that an attempt has been made to add source and/or binary code into a memory location and that inserted code is being called upon to preform malicious operation. Once the triggering events is detected, the intrusion detection agent detects that a security breach is being made and instruct the central processor to report the security breach and its details to the remote server).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cudak to include indicating a security breach in response to characterizing the process as the suspicious process, as disclosed by Fahrny, in order to achieve the predictable result of protecting against security breaches by preventing suspicious activities to perform undesired process using the computing device’s resources.  
	As per claim 28, 35 and 42, Cudak furthermore teaches, wherein the determining whether the condition is satisfied comprises determining whether the I/O activity exceeds the historical I/O activity by a threshold, wherein the condition is satisfied in response to determining that the I/O activity exceeds the historical I/O activity by the threshold (column 9, lines 19-32, comparing behavior of the application program during execution with the behavior of the application program in the profile and in response to determining deviation performing an action) .

	Claims 27, 34 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Cudak et al., in view of Fahrny et al., further in view of Ogawa (US Publication No. 2016/0215325).
	As per claim 27, 34 and 41, Cudak in view of Fahrny does not explicitly teach but in an analogous art Ogawa discloses ,wherein the first condition comprises the first condition, and  in response to determining that the first condition is satisfied (paragraph [0096], at block 101, it is determined if x number of data files or objected has been accessed), performing: determining a characteristic of the data subject to the I/O activity from the process different from the historical I/O activity; and determining whether the characteristic of the I/O activity different form the historical I/O activity satisfies a second condition (paragraph [0097], if the x number of data files have been accessed, determining if the data files or data object have been accessed in a sequential order (determining if second condition satisfies)) , wherein the process initiating the I/O activity is indicated as the suspicious process in response to determining that the second condition is satisfied (paragraph [0097], the action is considered suspicious if the data files have been accessed in a sequential order).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cudak and Fahrny to include, wherein the first condition comprises the first condition, and  in response to determining that the first condition is satisfied, performing: determining a characteristic of the data subject to the I/O activity from the process different from the historical I/O activity; and determining whether the characteristic of the I/O activity different form the historical I/O activity satisfies a second condition, wherein the process initiating the I/O activity is indicated as the suspicious process in response to determining that the second condition is satisfied. This would have been obvious because one of ordinary skill in the art would have been motivated to detect adversary who has successfully breached the security system and to hinder the successful adversary form gaining further access to data (paragraph [0038]). 
		

Allowable Subject Matter
	Claims 29-32, 36-39 and 43-45 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion

	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437