DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Response to Amendment  / Arguments 
Claim Objections. Applicant’s amendment overcomes the objections to the claims. 
	112(b) Rejections. Applicant’s amendment overcomes the previous 112(b) rejections to the claims. 
	103 Rejections.  The examiner has considered Applicant’s arguments and amendments. In response, the amendments do not overcome the prior art of record for the 103 rejections; and Applicant’s arguments are non-responsive in some ways, and incomplete, as described below.  
	[Wingdings font/0xE0] As a preliminary matter: Applicant argues that Watkiss is not prior art to Applicant’s claims. Applicant is respectfully wrong about this, because Applicant has read or understood the dates wrong.  Specifically, Applicant argues that Watkiss is not prior art, because the filing date of Watkiss is allegedly November 7, 2019. This is not true.  November 7, 2019 is actually the publication date of Watkiss.  The correct filing date for Watkiss is: May 3, 2018.  Applicant’s filing date is February 1, 2019.  Therefore, Watkiss is in fact prior art to Applicant’s claims, as filed before Applicant’s patent application.   Please see below, to respectfully set the record straight:

THE FIRST PAGE OF THE PUBLICATION OF THE WATKISS REFERENCE:

[AltContent: arrow][AltContent: arrow]
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale

[AltContent: textbox (Filing date: this is the relevant date for prior art purposes to this application. 
This date is May 3, 2018. 
Applicant’s filing date is February 1, 2019.  
Watkiss has an earlier filing date than Applicant, and is therefore correctly applied by the Examiner as prior art.  )][AltContent: textbox (Publication Date (date the application was published).
This date is November 7, 2019. 
This is not the relevant date for prior art purposes to this application. Review 35 U.S.C. 102 and 103. )]



	Applicant’s arguments are also unpersuasive, because (!) Applicant argued each reference individually, (2) Applicant did not address the 103 rejection as a whole (i.e. Applicant addressed no combination), (3) Applicant argues for teachings that either the examiner did not use, or for claim features that the examiner did not use the reference for, (4) Applicant did not argue all the references, because Applicant believed Watkiss was not prior art, and 54) Applicant did not address the second of two 103 rejections to the independent claims. Therefore the arguments are very piecemeal, in some parts incorrect, incomplete, somewhat non-responsive, and unpersuasive.  

	That is to say, Applicant respectfully did not argue the Swift reference at all.  There were TWO bases for 103 rejections to the independent claims, the second one using the Swift reference.  Applicant seems to have ignored the second 103 rejection, or at least chose not to present any arguments to the Swift reference at all.  

	In addition, to the first 103 rejection, Applicant did not argue the Watkiss reference, because Applicant believed Watkiss was not prior art.  This is respectfully not correct, as shown above. 

	Therefore, Applicant did not fully respond to the 103 rejections, and addressed no combination, which is what 103 rejections over multiple references typically involve.  
	 Here are some (but not all) examples of why the examiner disagrees with Applicant’s mischaracterization of the references, and some (but not all) examples of how Applicant improperly alleges that reference A does not teach feature X, even though reference A wasn’t even applied to teach feature X (so therefore, arguments like this are moot): 
Kline was not used for endpoint device. Watkiss was. Remarks, page 11
Kline, contrary to what Applicant states, does teach visually collecting confidential information in the form of visual hacking. See para. 41. 
Kline was not used for copying frame buffers. Remarks, page 11. 
Kline was not used for risk-adaptive policies. Watkiss was
Nason was not used for frame buffer copying. Remarks, page 12.
…Etc, etc. etc. 

Therefore the arguments are respectfully incomplete, unresponsive in parts, and unpersuasive as a whole.  Accordingly, the rejections over existing prior art are maintained, and a new rejection under 112(b) is issued below. 
	 



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Regarding independent claims 1, 8 and 15, it is unclear what the “image capture module” of these claims refers to.  Was the interception done by taking an image of an API call? Or an image of (*insert*)?  Otherwise, what is the function of the image capture module?  In the response, Applicant provided no indication of where in the specification there is support for this feature, so the examiner is making her best guess now as to claim interpretation and support in the specification. 
	Applicant’s specification seems to describe the image capture module as part of memory, and used for copying frame buffers.  The image capture module can also capture images, but the claims right now do not support this interpretation.  Therefore, what does the image capture module of the independent claims do? Is an image being captured?  If so, this is missing from the claims. 
	Also, even though the preamble to claim 1 states that the method is for “capturing an image”, the method of claim 1 actually has very little to do with image capture.  There is no capturing step in claim 1.  Instead, claim 1, as currently written, has more to do with performing risk-adaptive security operations, or risk operations, or security operations, or security protection, etc.  So, Applicant should respectfully consider removing “capturing an image” from the preamble of claim 1, or amending the body of claim 1 to include a clear image capture step. 
	If Applicant wants the claims to be interpreted such as the image capture module in fact captures an image, then the claims need to be respectfully amended to reflect such an interpretation. Otherwise, right now the image capture module is just used in an intercepting step or function, and a broad, reasonable interpretation in view of the specification would be that this image capture module is located in memory to assist or facilitate copying of the frame buffer. 
	Finally, in the interests of advancing prosecution, Applicant is advised to consider amendment the claims to clarify the function of the image capture module as capturing images, in some fashion, and how those images relate to the remainder of the independent claims.  This will require some re-writing and addition of features, but might be worthwhile to consider to advance prosecution and potentially overcome the prior art of record. 
	Clarification and/or correction are required. 




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 5, 8, 9, 11, 12, 15, 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kline (U.S. Patent Application Publication No. 2015/0220707 A1) in view of Nason (U.S. Patent Application Publication No. 2005/0102266 A1) and further in view of Neath (U.S. Patent No. 8,463,612) and Watkiss (U.S. Patent Application Publication No. 2019/0342313 A1).

	Regarding claim 1: 
	It would have been obvious for one of ordinary skill in the art to have combined and modified the applied references, in view of same, to have obtained: a computer-implemented method for capturing an image, the method comprising: 
	providing an endpoint device with an endpoint agent to establish a protected endpoint, the endpoint agent comprising an image capture module and a risk-adaptive security policy;
	intercepting API calls made by a target application executing on the endpoint device to a graphics display driver via the image capture module of the endpoint agent, wherein the API calls made to the graphics display driver by the target application are made using a graphics rendering API library; and 
	using the intercepted API calls to construct a copy of a frame buffer of the image, wherein the copy of the frame buffer is constructed independent of the graphics display driver; 
	using the copy of the frame buffer of the image to detect an occurrence of a visual hacking incident, wherein the visual hacking incident includes visually collecting confidential information at the endpoint device; and 
	performing a risk-adaptive security operation, the risk-adaptive security operation adaptively responding to mitigate a risk associated with the visual hacking incident based on the risk-adaptive security policy, and the results of the modification would have been predictable to one of ordinary skill in the art as of the effective filing date of the claimed invention.  See MPEP §2143(A).  
	Kline teaches: a computer-implemented method for capturing an image (see para. 44, the monitoring process can include capturing an image on a screen).  Kline also teaches: intercepting API calls made by a target application (i.e. a media player application, though other application processes are envisioned; see paras. 57-70)…via the image capture module (Kline, para. 44 and 66), wherein the API calls… are made using a graphics rendering API library, such as OpenGL (para. 65). See also discussion below re: endpoint agent. 
	Re: calls made to a graphics display driver, wherein the API calls [are] made to the graphics display driver by the target application, Nason teaches that security measures with respect to calls made to a graphics display driver by a target application are known (para. 47, protecting access to video content via a display driver and frame buffer).  Modifying Kline, such that the intercepting of API calls made by a target application using a graphics rendering API library are done in an environment that includes a graphics display driver, as per Nason, would have been obvious and predictable to one of ordinary skill in the art.  Both references are related to the monitoring and protection of data from unwanted access. 
	Re: using the intercepted API calls to construct a copy of a frame buffer of an image, wherein the copy of the frame buffer is constructed independent of the graphics display driver, consider the following.  Neath teaches using API hooks to intercept API calls and obtain, by intercepting API calls, memory locations to capture the input data stored there before the driver replaces it with new data (see cols. 9-10). These data streams can be stored on a storage medium, which may be local or remote to the monitored computer (last paragraph of col. 10). As one example, the data streams can be transmitted to a monitoring server for analysis and/or replay (Id.).  See also cols. 13-14, and namely the first full paragraph of col. 14, which teaches that an API hook can be used to intercept an API function call and/or access a buffer, and/or pass a copy of those contents for processing. This is independent of the driver.  See also Neath, claim 1. By this teaching, Neath also teaches an image capture module, as the aspect of Neath’s hardware that copies the frame buffer. This interpretation is a reasonable interpretation consistent with Applicant’s specification.  See 112(b) rejection above. 
	Neath is primarily directed at audio data and audio streams, as opposed to graphics or other forms of media.  However, Kline and Nason also teach their applicability to audio, see Kline, para. 7; Nason, Abstract and claim 3, and Neath is not specifically limited to only audio and/or to modifications of Neath (see Neath, col. 15).  Accordingly it would have been obvious for one of ordinary skill in the art to have further modified the applied references, in view of Neath, to have applied the intercepting and copying of Neath, to the system and methods of Kline and Nason, and the results of the modification would have been obvious and predictable to one of ordinary skill in the art.  
	Re: providing an endpoint device with an endpoint agent to establish a protected endpoint; intercepting API calls made by a target application executing on the endpoint device to a graphics display driver via the endpoint agent, (features relating to endpoint security), consider Watkiss. Watkiss teaches that it is known to have an endpoint device (called ‘endpoint’ by Watkiss, see Watkiss, para. 30-41) with an endpoint agent (claim 1, security agent. See also paras. 3-9, 30-45 and Fig. 7 and related description) to establish a protected endpoint (endpoint w/ security agent).  Modifying the endpoint agent to have an image capture module, as mapped above re: Neath, would have been obvious and predictable to one of ordinary skill in the art.  See also below. 
	Further re: the endpoint agent comprising an image capture module and a risk-adaptive security policy, see also Watkiss. Watkiss is not particularly limited to the features of an endpoint agent (see e.g. paras. 3-9, 33-83 and Figs. 2-7). The endpoint agent of Watkiss can include features as described in para. 41, including event detection, user behavior detection and risk adaptive security policies (para. 41, receive and evaluate data, buffer data; see Fig. 3; see also Fig. 4: 414, 416, 418; see also para. 92 re: adaptable security policies). Regarding image capture, Watkiss teaches buffering data and a system that includes a camera (also an image capture module) (see para. 58), and, alternatively, recall that Kline and mapping above teaches image capture.
	Modifying the applied references, such that the security agent and endpoint security protocol or Watkiss, intercepts API calls as part of its security measures made by a target application to a graphics display driver, as mapped above, as well as includes the modules, as taught/suggested by Watkiss, including image capture, per Watkiss and/or Kline and mapping above, is all of taught, suggested, and would have been obvious and predictable to one of ordinary skill in the art.  Essentially, the endpoint agent features are all taught/suggested by the expansive teachings of Watkiss, and modifying the functionality to also include image capture, per Kline, as both relate to security and risk avoidance, would have been obvious and predictable over the prior art. 
	Finally, re: using the copy of the frame buffer of the image to detect an occurrence of a visual hacking incident, wherein the visual hacking incident includes visually collecting confidential information at the endpoint device; and the performing step, consider the following.  As mapped above, the prior art teaches copying frame buffers to, as taught in Neath, monitor data streams (see Neath, Field of the Invention).  Visual hacking includes visually collecting confidential information (Kline, para. 44).  The security monitoring of Kline can be done by capturing image content (see e.g. para. 44 and Fig. 1), and Watkiss teaches endpoint agents, as mapped above.  Modifying the applied references, such that the frame buffer copy of the image is used to detect a visual hacking incident, as taught by the combined references mapped above, and performing a risk-adaptive security operation, as taught by Watkiss (see Figs. 6-7), to mitigate risks associated with a visual hacking incident, as per Kline and the mappings above, is all of taught, suggested and obvious and predictable over the prior art. 
	The prior art included each element recited in claim 1, although not necessarily in a single embodiment, with the only difference being between the claimed element and the prior art being the lack of actual combination of certain elements in a single prior art embodiment, as described above. 
	One of ordinary skill in the art could have combined the elements as claimed by known methods, and in that combination, each element merely performs the same function as it does separately.  One of ordinary skill in the art would have also recognized that the results of the combination were predictable as of the effective filing date of the claimed invention.  


	Regarding claim 2: please see claim 9. 
	Claim 2 recites features, which are substantially similar to those of claim 9.  Thus, the rationale for rejecting claim 9 equally applies to claim 2. 


	Regarding claim 4: please see claim 11. 
	Claim 4 recites features, which are substantially similar to those of claim 11.  Thus, the rationale for rejecting claim 11 equally applies to claim 4. 


	Regarding claim 5: please see claim 12. 
	Claim 5 recites features, which are substantially similar to those of claim 12.  Thus, the rationale for rejecting claim 12 equally applies to claim 5. 


	Regarding claim 8: see also claim 1. 
	Kline teaches: a system (Fig. 4, computing device) comprising: a processor (Fig. 4: 410); a data bus coupled to the processor (Fig. 4: memory bus, 430); and 
	a non-transitory, computer-readable storage medium embodying computer program code (claim 19), the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for (claims 19-20).
	The program code that is executable in claim 8 corresponds to the method of claim 1.  Thus, the rationale for rejecting claim 1 equally applies to the computer program code of claim 8.  Modifying the method of claim 1, such that it is executable as code stored in memory as mapped above, would have been obvious to one of ordinary skill in the art as of the effective filing date of Applicant’s claims. The motivation would be to take advantage of known hardware and software capabilities and architecture to implement desired results. 


	Regarding claim 9: 
	Kline and/or Neath further teach: the system of claim 8, wherein the intercepted API calls are obtained using software hooks inserted during runtime of the target application (see e.g. Kline, paras. 58, 59, hooking technique to intercept API calls during runtime of other running processes, i.e. during runtime of target application) (Neath, cols. 9-10 and first full paragraph of col. 14).
	Watkiss further teaches: and the software hooks allow the endpoint agent to subscribe to other events occurring at the endpoint device (see e.g. claim 19, paras. 101-102, 112 and Fig. 7)
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of same, to have obtained the above, and the results of the modification would have been predictable to one of ordinary skill in the art as of the effective filing date of the claimed invention.  See MPEP §2143(A).   That is, to have modified the applied references to include the hooking technique as taught by the prior art and mapped above. 
	The prior art included each element recited in claim 9, although not necessarily in a single embodiment, with the only difference being between the claimed element and the prior art being the lack of actual combination of certain elements in a single prior art embodiment, as described above. 
	One of ordinary skill in the art could have combined the elements as claimed by known methods, and in that combination, each element merely performs the same function as it does separately.  One of ordinary skill in the art would have also recognized that the results of the combination were predictable as of the effective filing date of the claimed invention.  


	Regarding claim 11:
	Kline further teaches: the system of claim 8, wherein the graphics rendering API library includes one or more of an EGL library, an OpenVG library, or an OpenGL library (Kline, para. 65 and Table 3, the graphics rendering library can be OpenGL).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Kline, to have obtained the above. The motivation would be to increase the abilities and reach of monitoring data and activities for malicious behavior. 


	Regarding claim 12:
	Kline further teaches: the system of claim 8, wherein the target application comprises one or more of: a word processing application; a spreadsheet application; an image editing application; a web browser application; a desktop environment application; and an image acquisition application (e.g. paras. 45-50, the target application can be a media player, i.e. a desktop environment application, like Windows Media Player, for example).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Kline, to have obtained the above. The motivation would be to increase the abilities and reach of monitoring data and activities for malicious behavior.


	Regarding claim 15: see also claim 1. 
	Kline teaches: a non-transitory, computer-readable storage medium embodying computer program code (claims 19-20), the computer program code comprising computer executable instructions configured for.
	The program code that is executable in claim 15 corresponds to the method of claim 1.  Thus, the rationale for rejecting claim 1 equally applies to the computer program code of claim 15.  Modifying the method of claim 1, such that it is executable as code stored in memory as mapped above, would have been obvious to one of ordinary skill in the art as of the effective filing date of Applicant’s claims. The motivation would be to take advantage of known hardware and software capabilities and architecture to implement desired results. 
.  

	Regarding claim 16: please see claim 9. 
	Claim 16 recites features, which are substantially similar to those of claim 9.  Thus, the rationale for rejecting claim 9 equally applies to claim 16. 


	Regarding claim 18: please see claim 11. 
	Claim 18 recites features, which are substantially similar to those of claim 11.  Thus, the rationale for rejecting claim 11 equally applies to claim 18. 


Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kline in view of Nason, Neath and Watkiss, and further in view of Swift (U.S. Patent Application Publication No. 2013/0120411 A1).   

	Regarding claim 3: please see claim 10. 
	Claim 3 recites features, which are substantially similar to those of claim 10.  Thus, the rationale for rejecting claim 10 equally applies to claim 3. 

	Regarding claim 10:
	The applied references to claim 8 do not proactively teach claim 10. 
	In analogous art, Swift teaches: the system of claim 8, wherein the intercepted API calls comprise one or more of: API calls instantiating a frame buffer; API calls updating a frame buffer; and API calls swapping a window (para. 40, swap API calls are known).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Swift, to have obtained the above. The motivation would be to take advantage of known API calls to render display content. 

Regarding claim 17: please see claim 10. 
	Claim 17 recites features, which are substantially similar to those of claim 10.  Thus, the rationale for rejecting claim 10 equally applies to claim 17.  

Claims 1-5, 8-12 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Kline in view of Swift and further in view of Neath and Watkiss.

	Regarding claim 1: 
	It would have been obvious for one of ordinary skill in the art to have combined and modified the applied references, in view of same, to have obtained: a computer-implemented method for capturing an image, the method comprising: 
	providing an endpoint device with an endpoint agent to establish a protected endpoint, the endpoint agent comprising an image capture module and a risk-adaptive security policy;
	intercepting API calls made by a target application executing on the endpoint device to a graphics display driver via the image capture module of the endpoint agent, wherein the API calls made to the graphics display driver by the target application are made using a graphics rendering API library; and 
	using the intercepted API calls to construct a copy of a frame buffer of the image, 
	wherein the copy of the frame buffer is constructed independent of the graphics display driver; 
	using the copy of the frame buffer of the image to detect an occurrence of a visual hacking incident, wherein the visual hacking incident includes visually collecting confidential information at the endpoint device; and 
	performing a risk-adaptive security operation, the risk-adaptive security operation adaptively responding to mitigate a risk associated with the visual hacking incident based on the risk-adaptive security policy, and the results of the modification would have been predictable to one of ordinary skill in the art as of the effective filing date of the claimed invention.  See MPEP §2143(A).  
	Kline teaches: a computer-implemented method for capturing an image (see para. 44, the monitoring process can include capturing an image on a screen) (** claim interpretation note: as claimed this is the examiner’s best interpretation of what this preamble recitation means, since the remainder of the claim does not relate back to the image that is presumably captured). Kline also teaches: intercepting API calls made by a target application (i.e. a media player application, though other application processes are envisioned; see paras. 57-70), wherein the API calls… are made using a graphics rendering API library, such as OpenGL (para. 65).  
	Re: calls made to a graphics display driver, wherein the API calls [are] made to the graphics display driver by the target application, Swift teaches that a system or methods applied to a system having a graphics display driver with API calls made thereto by a target application is known (see Swift, Abstract, claim 1; and paras. 37, 42 and 44).  Modifying Kline, such that the intercepting of API calls made by a target application using a graphics rendering API library are done in an environment that includes a graphics display driver, as per Swift, would have been obvious and predictable to one of ordinary skill in the art.  
	Re: using the intercepted API calls to construct a copy of a frame buffer of an image, wherein the copy of the frame buffer is constructed independent of the graphics display driver, consider the following.  Neath teaches using API hooks to intercept API calls and obtain, by intercepting API calls, memory locations to capture the input data stored there before the driver replaces it with new data (see cols. 9-10). These data streams can be stored on a storage medium, which may be local or remote to the monitored computer (last paragraph of col. 10). As one example, the data streams can be transmitted to a monitoring server for analysis and/or replay (Id.).  See also cols. 13-14, and namely the first full paragraph of col. 14, which teaches that an API hook can be used to intercept an API function call and/or access a buffer, and/or pass a copy of those contents for processing. This is independent of the driver.  See also Neath, claim 1. By this teaching, Neath also teaches an image capture module, as the aspect of Neath’s hardware that copies the frame buffer. This interpretation is a reasonable interpretation consistent with Applicant’s specification.  See 112(b) rejection above. 
	Neath is primarily directed at audio data and audio streams, as opposed to graphics or other forms of media.  However, Kline also teaches their applicability to audio, see Kline, para. 7, and Neath is not specifically limited to only audio and/or to modifications of Neath (see Neath, col. 15).  Accordingly it would have been obvious for one of ordinary skill in the art to have further modified the applied references, in view of Neath, to have applied the intercepting and copying of Neath, to the system and methods of Kline and Swift, and the results of the modification would have been obvious and predictable to one of ordinary skill in the art.  
	Re: providing an endpoint device with an endpoint agent to establish a protected endpoint; intercepting API calls made by a target application executing on the endpoint device to a graphics display driver via the endpoint agent, (features relating to endpoint security), consider Watkiss. Watkiss teaches that it is known to have an endpoint device (called ‘endpoint’ by Watkiss, see Watkiss, para. 30-41) with an endpoint agent (claim 1, security agent. See also paras. 3-9, 30-45 and Fig. 7 and related description) to establish a protected endpoint (endpoint w/ security agent).  Modifying the endpoint agent to have an image capture module, as mapped above re: Neath, would have been obvious and predictable to one of ordinary skill in the art.  See also below. 
	Further re: the endpoint agent comprising an image capture module and a risk-adaptive security policy, see also Watkiss. Watkiss is not particularly limited to the features of an endpoint agent (see e.g. paras. 3-9, 33-83 and Figs. 2-7). The endpoint agent of Watkiss can include features as described in para. 41, including event detection, user behavior detection and risk adaptive security policies (para. 41, receive and evaluate data, buffer data; see Fig. 3; see also Fig. 4: 414, 416, 418; see also para. 92 re: adaptable security policies). Regarding image capture, Watkiss teaches buffering data and a system that includes a camera (also an image capture module) (see para. 58), and, alternatively, recall that Kline and mapping above teaches image capture.
	Modifying the applied references, such that the security agent and endpoint security protocol or Watkiss, intercepts API calls as part of its security measures made by a target application to a graphics display driver, as mapped above, as well as includes the modules, as taught/suggested by Watkiss, including image capture, per Kline and mapping above, is all of taught, suggested, and would have been obvious and predictable to one of ordinary skill in the art.  Essentially, the endpoint agent features are all taught/suggested by the expansive teachings of Watkiss, and modifying the functionality to also include image capture, per Kline, as both relate to security and risk avoidance, would have been obvious and predictable over the prior art. 
	Finally, re: using the copy of the frame buffer of the image to detect an occurrence of a visual hacking incident, wherein the visual hacking incident includes visually collecting confidential information at the endpoint device; and the performing step, consider the following.  As mapped above, the prior art teaches copying frame buffers to, as taught in Neath, monitor data streams (see Neath, Field of the Invention).  Visual hacking includes visually collecting confidential information (Kline, para. 44).  The security monitoring of Kline can be done by capturing image content (see e.g. para. 44 and Fig. 1), and Watkiss teaches endpoint agents, as mapped above.  Modifying the applied references, such that the frame buffer copy of the image is used to detect a visual hacking incident, as taught by the combined references mapped above, and performing a risk-adaptive security operation, as taught by Watkiss (see Figs. 6-7), to mitigate risks associated with a visual hacking incident, as per Kline and the mappings above, is all of taught, suggested and obvious and predictable over the prior art. 
	The prior art included each element recited in claim 1, although not necessarily in a single embodiment, with the only difference being between the claimed element and the prior art being the lack of actual combination of certain elements in a single prior art embodiment, as described above. 
	One of ordinary skill in the art could have combined the elements as claimed by known methods, and in that combination, each element merely performs the same function as it does separately.  One of ordinary skill in the art would have also recognized that the results of the combination were predictable as of the effective filing date of the claimed invention.  


	Regarding claim 2: please see claim 9. 
	Claim 2 recites features, which are substantially similar to those of claim 9.  Thus, the rationale for rejecting claim 9 equally applies to claim 2. 

	Regarding claim 3: please see claim 10. 
	Claim 3 recites features, which are substantially similar to those of claim 10.  Thus, the rationale for rejecting claim 10 equally applies to claim 3. 

	Regarding claim 4: please see claim 11. 
	Claim 4 recites features, which are substantially similar to those of claim 11.  Thus, the rationale for rejecting claim 11 equally applies to claim 4. 

	Regarding claim 5: please see claim 12. 
	Claim 5 recites features, which are substantially similar to those of claim 12.  Thus, the rationale for rejecting claim 12 equally applies to claim 5. 


	Regarding claim 8: see also claim 1. 
	Kline teaches: a system (Fig. 4, computing device) comprising: a processor (Fig. 4: 410); a data bus coupled to the processor (Fig. 4: memory bus, 430); and 
	a non-transitory, computer-readable storage medium embodying computer program code (claim 19), the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for (claims 19-20).
	The program code that is executable in claim 8 corresponds to the method of claim 1.  Thus, the rationale for rejecting claim 1 equally applies to the computer program code of claim 8.  Modifying the method of claim 1, such that it is executable as code stored in memory as mapped above, would have been obvious to one of ordinary skill in the art as of the effective filing date of Applicant’s claims. The motivation would be to take advantage of known hardware and software capabilities and architecture to implement desired results. 


	Regarding claim 9: 
	Kline and/or Neath further teaches the system of claim 8, wherein the intercepted API calls are obtained using software hooks inserted during runtime of the target application (see e.g. Kline, paras. 58, 59, hooking technique to intercept API calls during runtime of other running processes, i.e. during runtime of target application) (Neath, cols. 9-10 and first full paragraph of col. 14). 
	Watkiss further teaches: and the software hooks allow the endpoint agent to subscribe to other events occurring at the endpoint device (see e.g. claim 19, paras. 101-102, 112 and Fig. 7)
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of same, to have obtained the above, and the results of the modification would have been predictable to one of ordinary skill in the art as of the effective filing date of the claimed invention.  See MPEP §2143(A).   That is, to have modified the applied references to include the hooking technique as taught by the prior art and mapped above. 
	The prior art included each element recited in claim 9, although not necessarily in a single embodiment, with the only difference being between the claimed element and the prior art being the lack of actual combination of certain elements in a single prior art embodiment, as described above. 
	One of ordinary skill in the art could have combined the elements as claimed by known methods, and in that combination, each element merely performs the same function as it does separately.  One of ordinary skill in the art would have also recognized that the results of the combination were predictable as of the effective filing date of the claimed invention.  


	Regarding claim 10:
	Swift further teaches: the system of claim 8, wherein the intercepted API calls comprise one or more of: API calls instantiating a frame buffer; API calls updating a frame buffer; and API calls swapping a window (para. 40, swap API calls are known).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Swift, to have obtained the above. The motivation would be to take advantage of known API calls to render display content. 


	Regarding claim 11:
	Kline and/or Swift further teaches: the system of claim 8, wherein the graphics rendering API library includes one or more of an EGL library, an OpenVG library, or an OpenGL library (Kline, para. 65 and Table 3, the graphics rendering library can be OpenGL) (Swift, paras. 37 and 42).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Kline and/or Swift, to have obtained the above. The motivation would be to increase the abilities and reach of monitoring data and activities for malicious behavior. 


	Regarding claim 12:
	Kline further teaches: the system of claim 8, wherein the target application comprises one or more of: a word processing application; a spreadsheet application; an image editing application; a web browser application; a desktop environment application; and an image acquisition application (e.g. paras. 45-50, the target application can be a media player, i.e. a desktop environment application, like Windows Media Player, for example).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Kline, to have obtained the above. The motivation would be to increase the abilities and reach of monitoring data and activities for malicious behavior.


	Regarding claim 15: see also claim 1. 
	Kline teaches: a non-transitory, computer-readable storage medium embodying computer program code (claims 19-20), the computer program code comprising computer executable instructions configured for.
	The program code that is executable in claim 15 corresponds to the method of claim 1.  Thus, the rationale for rejecting claim 1 equally applies to the computer program code of claim 15.  Modifying the method of claim 1, such that it is executable as code stored in memory as mapped above, would have been obvious to one of ordinary skill in the art as of the effective filing date of Applicant’s claims. The motivation would be to take advantage of known hardware and software capabilities and architecture to implement desired results. 


	Regarding claim 16: please see claim 9. 
	Claim 16 recites features, which are substantially similar to those of claim 9.  Thus, the rationale for rejecting claim 9 equally applies to claim 16. 


Regarding claim 17: please see claim 10. 
	Claim 17 recites features, which are substantially similar to those of claim 10.  Thus, the rationale for rejecting claim 10 equally applies to claim 17.  


	Regarding claim 18: please see claim 11. 
	Claim 18 recites features, which are substantially similar to those of claim 11.  Thus, the rationale for rejecting claim 11 equally applies to claim 18. 



Claims 6, 7, 13, 14, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kline in view of (Nason or Swift), Neath and Watkiss, and further in view of Thakadu (U.S. Patent Application Publication No. 2014/0237594 A1). 

	Regarding claim 6: please see claim 13. 
	Claim 6 recites features, which are substantially similar to those of claim 13.  Thus, the rationale for rejecting claim 13 equally applies to claim 6. 

	Regarding claim 7: please see claim 14. 
	Claim 7 recites features, which are substantially similar to those of claim 14.  Thus, the rationale for rejecting claim 14 equally applies to claim 7. 


	Regarding claim 13:
	It would have been obvious for one of ordinary skill in the art to have combined and modified the applied references, in view of same, to have obtained: the system of claim 8, wherein the instructions are further configured for: storing the copied frame buffer in memory, 
	wherein the memory is accessible by a security analytics system; and
	analyzing the copied frame buffer by the security analytics system to detect potential violations of a security policy, and the results of the modification would have been predictable to one of ordinary skill in the art as of the effective filing date of the claimed invention.  See MPEP §2143(A).  
	Neath teaches storing copied data in memory for further processing (see e.g. last paragraph of col. 10).  Re: copied frame buffer, this is taught by Kline, with Nason or Swift, as mapped above in the based independent claim.  Neath also teaches that the copied data can be sent to a monitoring server for analysis (last paragraph of col. 10).  This corresponds to a teaching of a wherein the memory is accessibly by a security analytics system.  Moreover, Thakadu also teaches a security analytics system (system of Fig. 1, which teaches a monitoring system that utilizes a database of security rules/policies).  Thakadu further teaches: analyzing the copied frame buffer (see mapping above to base independent claim) by the security analytics system (the server of Neath, and/or the system of Thakadu) to detect potential violations of a security policy (e.g. para. 3 of Thakadu, systems to detect violations of security policies have been known in the art. See also para. 15). Modifying the methods and systems of Kline, Nason or Swift, and Neath, to have the functionality and objectives of Thakadu, would have been obvious and predictable to one of ordinary skill in the art, as of the effective filing date of Applicant’s claims. 
	The prior art included each element recited in claim 13, although not necessarily in a single embodiment, with the only difference being between the claimed element and the prior art being the lack of actual combination of certain elements in a single prior art embodiment, as described above. 
	One of ordinary skill in the art could have combined the elements as claimed by known methods, and in that combination, each element merely performs the same function as it does separately.  One of ordinary skill in the art would have also recognized that the results of the combination were predictable as of the effective filing date of the claimed invention.  


	Regarding claim 14:
	Kline further teaches: the system of claim 13, wherein analysis of the copied frame buffer to detect potential violations of the security policy by the security analytics system is initiated in response to one or more of: 
	access of one or more predetermined images for display by the target application; 
	acquisition of an image for display by the target application; 
	access of one or more predetermined files for display by the target application; and 
	access of one or more predetermined file types for display by the target application (see e.g. paras. 40-70, monitoring is done and action is triggered in response to access of one or more predetermined files and/or file types by the target application, i.e. unencrypted media data and/or video and audio data of video card. The above access and acquisition, for display, is taught by para. 44 of Kline).
	It would have been obvious for one of ordinary skill in the art, as of the effective filing date of Applicant’s claims, to have further modified the applied references, in view of Kline, to have obtained the above.  That is, to modify the applied references such that analysis of copied frame buffer data is done in response to access, as per Kline. The motivation would be to increase the abilities and reach of monitoring data and activities for malicious behavior over files that might be vulnerable to piracy. 
 

	
	Regarding claim 19: please see claim 13. 
	Claim 19 recites features, which are substantially similar to those of claim 13.  Thus, the rationale for rejecting claim 13 equally applies to claim 19. 

	Regarding claim 20: please see claim 14. 
	Claim 20 recites features, which are substantially similar to those of claim 14.  Thus, the rationale for rejecting claim 14 equally applies to claim 20. 




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Sarah Lhymn whose telephone number is (571)270-0632.  The examiner can normally be reached on M-F, 9:00 AM to 6:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Xiao Wu can be reached on 571-272-7761.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


Sarah Lhymn
Primary Examiner
Art Unit 2613



/Sarah Lhymn/Primary Examiner, Art Unit 2613