DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This Office Action is directed to the Applicant’s response filed 11-20-2020.

3.	Claims 1-21 are pending and have been examined.

Response to Arguments
4.	Applicant’s Argument:
The Applicant argues that Zadok fails to teach the feature of an overlay file system, and argues that the stackable file system taught by Zadok cannot be construed as an overlay file system. The Applicant then argues that this difference distinguishes Zadok from the claimed invention.
	Examiner’s Response:	
The Examiner respectfully disagrees with the Applicant regarding the Zadok reference and maintains that the reference is indeed teaching an overlay file system. For example, at paragraph [0016] Zadok teaches that a stackable file system may be mounted atop a target file system and act as a filter for file operation commands directed to the target file system. This arrangement is virtually indistinguishable from the Applicant’s instant invention. For example, at paragraph [0079] Zadok teaches an anti-viral file system (AVFS) that is a stackable file system and which may be mounted over 
Applicant’s Argument:
The Applicant further argues that Zadok fails to teach the feature of claims 3, 10 and 17 of explicitly determining whether a “given file” itself has been modified for the “analyzing” operation. The Applicant states “Rather, paragraph [0075] references an “anti-virus” operation that uses a virus scanner [0073]; the scanner is called to examine for a signature indicative of a virus.”
Examiner’s Response:
	The Examiner respectfully disagrees with the applicant and maintains that Zadok is teaching the step of determining if a “given file” has been modified. For example In Zadok at paragraph [0075] in one implementation data being written to a file is scanned for viruses, if a virus is detected, the file is allowed to be written to after a clean backup copy is made, all in order to allow an administrator to investigate the event. This reads on detecting if a “given file” is modified. For example, at paragraph [0080] Zadok teaches that a file is scanned for the presence of a virus as it is read. This reads on detecting if a given file has been modified. 
	Applicant’s Argument:
	The Applicant further argues that Zadok fails to teach the features of claims 4, 11 and 18 of extracting file features from a given file being analyzed. The Applicant states “…rather, the virus scanner recognizes the signature of a virus and “quarantines” the virus itself.”
Examiner’s Response:
	The Examiner respectfully disagrees with the Applicant’s interpretation of the Zadok reference and maintains that the reference does indeed teach the claim limitation. For example, at paragraph [0080] Zadok teaches that individual files are scanned as they are read during the process of them being written to a disc. At paragraph [0075] Zadok teaches that as a file is read out, any data representing a virus is isolated before it is written to a another file. These paragraphs teach the step of “extracting” a file feature since the code representing the virus is read out from a file then is isolated. The virus code is “extracted” from a file by this process.
	 The balance of the Applicant’s arguments regarding the 35 USC Sec. 103 rejections depend from those already addressed supra.
	The Applicant’s arguments regarding the objections to the drawings set forth in the previous Office Action are persuasive and these objections are withdrawn.

Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

6.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

7.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

8.	Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Goyal et al., US 10,558,818 B2, and  Zadok et al., US 2005/0273858 A1

	As for claim 1, Goyal teaches:

associating a particular filesystem overlay with a subject (col. 2 lines 17-45: each subject, e.g. application, is assigned a security context label, where an access control policy implemented by the overlay filesystem determines which objects, e.g. files, the subject application is authorized to access):
as the subject performs file-based activity in the particular filesystem overlay, capturing information indicative of the file-based activity (col. 2 lines 49-53: an application’s attempt access a file is monitored);
analyzing the captured information to determine whether the subject associated with the file-based activity is malicious (col. 2 lines 49-53: an application’s security context label is determined by a kernel security module and evaluated to see if it comports with an access control policy set for a particular file the application is seeking to access, col. 6 lines 28-46); and
upon a determination that the subject associated with the file-based activity is malicious, taking a predetermined action to protect the filesystem (col. 2 lines 49-53: an application’s security context label is determined by the kernel security module and evaluated to see if it comports with an access control policy set for a particular file the application is seeking to access. If the application’s security context label is such that the application is not permitted access by the security policy, reading on a determination as to whether the application, i.e. subject, is malicious, the application is blocked from access by the kernel security module, col. 4 lines 12-19, col. 6 lines 28-46).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporating a writeable base filesystem into the system of Goyal would provide for increased portability of the base filesystem since changes made to the files would be stored in the base file system and not just the overlay layer, e.g. a base layer could be moved to a different mounting while maintaining any changes made, thereby increasing the utility of Goyal’s invention. 
As for claim 2, the combination of Goyal and Zadok teaches the method as described in claim 1. Goyal teaches the additional step wherein the file-based activity is one of: creation of a file, deletion of a file, and modification of a file (col. 6 lines 37-43: kernel security module will determine if an application has read/write access, reading on modification of a file).
Zadok offers an additional and somewhat more explicit teaching of the feature wherein the file based activity is one of creation of a file, deletion of a file, and modification of a file ([0075]: anti-virus stackable file system will detect changes made to a file indicative of a virus signature). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the 

As for claim 3, the combination of Goyal and Zadok teaches the method as described in claim 1. 
Zadok teaches the additional feature not taught by Goyal wherein
analyzing the captured information includes, for a given file, determining whether the given file has been modified as a result of the file-based activity ([0075]: anti-virus stackable file system will detect changes made to a file indicative of a virus signature). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to analyze a file to detect if changes have been made to it would enhance the forensic analysis conducted by Goyal’s system and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.
As for claim 4, the combination of Goyal and Zadok teaches the method as described in claim 3. Zadok teaches the additional features not taught by Goyal further including extracting file features from the given file upon a determination that the given file has been modified as a result of the file-based activity ([0075]: AVS quarantines the virus after detection).


As for claim 5, the combination of Goyal and Zadok teaches the method as described in claim 4. Zadok teaches the additional features not taught by Goyal further including using the file features extracted to identify one or more indicators of compromise ([0082]-[0083]: virus scanner may use pattern matching to identify a viral signature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to extract file features after detecting modifications made to the file in order to detect indicators of compromise would enhance the forensic analysis conducted by Goyal’s system since these features could, for example, then be studied by an administrator or be sent to a security analysis provider such as an anti-virus software vender, and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.

As for claim 6, the combination of Goyal and Zadok teaches the method as described in claim 5. Zadok teaches the additional features not taught by Goyal further including determining whether the subject associated with the file-based activity is malicious based on the one or more indicators of compromise ([0082]-[0083]: virus scanner may use pattern matching to identify a viral signature associated with a process attempting to write to a file).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Goyal. It would have been desirable to do so since incorporation of the ability to extract file features after detecting modifications made to the file in order to detect indicators of compromise associated with a subject responsible for the modification of a file, and determine if the subject is malicious are steps that would enhance the forensic analysis conducted by Goyal’s system and thereby increase the accuracy of detection of malicious file-based activity, thus increasing the utility of Goyal’s invention.

As for claim 7, the combination of Goyal and Zadok teaches the method as described in claim 6. Zadok teaches the additional features not taught by Goyal wherein the predetermined action to protect the filesystem is one of: issuing an alert, blocking additional file-based activity associated with the subject ([0075]: as soon as a process, i.e. an application, attempts to write a virus, the antiviral file system (AVFS) returns an error to the process before the changes are made to the file), quarantining the suspect ([0075]: suspect file is quarantined), reassigning trust dynamically to hide certain files, injecting one or more new deceptions, and gathering and sharing threat intelligence. 


As for claims 8-14 and 15-21, these claims are drawn to the apparatus and computer program-product respectively that correspond to the method of claims 1 -7. Claims 8-14 and 15-21 teach substantially the same limitations as claims 1-7 and are therefore rejected on the same basis as claims 1 -7.

Conclusion
9.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following US Patent document teaches features of an overlay file system similar to those used in the Applicant’s invention:
	Hipp et al., 	7,197,516
	
10.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

	
11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL E CALLAHAN whose telephone number is (571)272-3869.  The examiner can normally be reached on M-Th; Tu-F: 8am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
/PAUL E CALLAHAN/Examiner, Art Unit 2437