Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the communication dated August 27, 2019.
In the application dated on August 27, 2019, claims 1, 8 and 15 have been amended.
Claims 1-20 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Ms. Chana L. Stein of registration number 74,454, on February 22, 2021.  During the telephone conference, Ms. Stein has agreed and authorized the examiner to further amend Claims 1-20 on the application dated on August 27, 2019.


Claims

Replacing Claims 1-20 of the application dated on August 27, 2019 with the following:
Claim 1: 
	A method for machine-learned detection and removal of malicious software within a network, the method comprising:
	receiving a request for tracing a network application;
	allocating memory in a trace data repository for tracing the network application;
	recording, within [[a]] the trace data repository, environment behavior of:
		[[a]] the network application; and
		a plurality of network components that communicate with the network application, said network components comprising software layers, software dependencies, libraries and hardware dependencies;
	identifying each of the software layers, software dependencies, libraries and hardware dependencies using a unique identifier;
	combining the unique identifiers into an application reference identifier, said application reference identifier comprising the combination of network components that communicates with the network application and the order in which the network application communicates with the network components;
	based on the recorded environment behavior, generating a baseline dataset within the trace data repository,
	scheduling a plurality of snapshots of the network application, each of the snapshots occurring at a predetermined periodic interval;
network application and the plurality of components, the first snapshot corresponding to one of the plurality of scheduled snapshots;
	storing the first snapshot in the trace data repository;
	monitoring the network application and the plurality of components, using the stored snapshots and the baseline dataset, for any deviation in the environment behavior;
	detecting a first deviation in the environment behavior of the network application or the plurality of components;
	in response to detecting a first deviation, capturing a second snapshot of the network application and the plurality of components, the second snapshot being inconsistent with the plurality of scheduled snapshots;
	transmitting the second snapshot as an alert to one or more stakeholders associated with the network application;
	receiving a flag from the one or more stakeholders relating to the first deviation, the flag identifying the first deviation as intended or unwarranted; 
	detecting a second deviation included in the network application or the plurality of components;
	identifying a second deviation as intended unwarranted the 
	upon determining that the second deviation is unwarranted, , , using the network application reference identifier, network application and the plurality of components back to a previous version of the network application and the plurality of components, thereby removing the malicious software; and
	upon determining that the second deviation is intended, storing the intended deviation in a log of verified intended deviations.

Claim 2:
	The method of claim 1, wherein the scheduling is based on a level of criticality associated with the network application.

Claim 3: 
	The method of claim 1, wherein the previous version of the network application and the plurality of components is the most recent snapshot, prior to the second deviation, of the network application and the plurality of components.

Claim 4: 
	The method of claim 1, wherein the stored snapshots are used to identify issues and their causes, associated with the network application and the plurality of components.

Claim 5: 
	The method of claim 1, wherein the stored snapshots are used to enhance the performance of a transmitted new application, such that an engine learns from the 

Claim 6: 
	The method of claim 1, wherein the stored snapshots are used to identify and determine a composite security breach exposure metric of an environment, said environment that includes the network application and the plurality of components, said composite security breach exposure metric corresponding to the sum of a plurality of security breach exposure metrics, each security breach exposure metric corresponding to one of the plurality components.

Claim 7: 
	The method of claim 1, wherein the stored snapshots are used to appropriately allocate resources within the network.

Claim 8: 
	An apparatus for machine-learned detection and removal of malicious software within a network, the apparatus comprising:
	a trace data repository, the trace data repository configured to:
		receive a request for tracing a network application;
		allocate memory for tracing the network application;
		record environment behavior of:
the network application; and
			a plurality of network components that communicate with the network application, said network components comprising software layers, software dependencies, libraries and hardware dependencies;
		identify each of the software layers, software dependencies, libraries and hardware dependencies using a unique identifier;
		combine the unique identifiers into an application reference identifier, said application reference identifier comprising the combination of network components that communicates with the network application and the order in which the network application communicates with the network components;
	a processor configured to:
		generate a baseline dataset based on the recorded environment behavior; and
		store the baseline dataset in the trace data repository;
	a hardware-processor-scheduler configured to generate a schedule for capturing a plurality of substantially simultaneous snapshots of the network application and the plurality of components at a plurality of predetermined periodic intervals; 
	the processor further configured to:
		capture a plurality of simultaneous snapshots of the network application and the plurality of components according to the schedule;
		store the plurality of captured snapshots in the trace data repository;
network application and the plurality of components, for any deviation in the environment behavior of the network application or the plurality of components;
		detect a deviation in the environment behavior of the network application or in at least one of the plurality of components;
		in response to detecting the deviation, capture a second simultaneous snapshot of the network application and the plurality of components, the second simultaneous snapshot being inconsistent with the schedule;
		determine, based on previously recorded snapshots, whether the deviation is intended or unwarranted; 
		upon determination that the deviation is unwarranted , using the network application reference identifier, the network application and the plurality of components to a previous version of the network application and the plurality of components, thereby removing the malicious software; and
		upon determination that the deviation is intended, storing the intended deviation in a log of verified intended deviations. 

Claim 9: 
	The apparatus of claim 8, wherein the scheduler generates the schedule based on a level of criticality associated with the network application.

Claim 10: 
network application and the plurality of components is the most recent snapshot, prior to the deviation, of the network application and the plurality of components.

 Claim 11: 
	The apparatus of claim 8, wherein the stored snapshots are used to identify issues and their causes, associated with the network application and the plurality of components.

Claim 12: 
	The apparatus of claim 8, wherein the stored snapshots are used to enhance the performance of a transmitted new application, such that an engine learns from the recorded environment behavior to simulate at least one new application and determine a suitable set of tools, components, code routines and/or environment for hosting the new application.

Claim 13: 
	The apparatus of claim 8, wherein the stored snapshots are used to identify and determine a composite security breach exposure metric of an environment, said environment that includes the network application and the plurality of components, said composite security breach exposure metric corresponding to the sum of a plurality of composite security breach exposure metrics, each security breach exposure metric corresponding to one of the plurality of components.
Claim 14: 
	The apparatus of claim 8, wherein the stored snapshots are used to appropriately allocate resources within the network.

Claim 15: 
	A method for machine-learned detection and removal of malicious software within a network, the method comprising:
	receiving a request for tracking a network application;
	allocating memory in a trace data repository for tracing the network application;
	recording, within a trace data repository, environment behavior of:
		[[a]] the network application; and
		a plurality of network components that communicate with the network application, said network components comprising software layers, software dependencies, libraries and hardware dependencies;
	identifying each of the software layers, software dependencies, libraries and hardware dependencies using a unique identifier;
	combining the unique identifiers into an application reference identifier, said application reference identifier comprising the combination of network components that communicates with the network application and the order in which the network application communicates with the network components;
	based on the recorded environment behavior, generating a baseline dataset within the trace data repository;	
network application, each of the snapshots occurring at a predetermined periodic interval;
	capturing a first snapshot of the network application and the plurality of components, the first snapshot corresponding to one of the plurality of scheduled snapshots:
	storing the first snapshot and data associated with the first snapshot in the trace data repository, said data comprising:
		a trace identification sequence identifying the network application;
		an infra reference identifier identifying an environment setup of the network application at the time of the first snapshot;
		an application span reference identifier identifying the plurality of components that communicate with the network application at the time of the first snapshot;
		a code reference identifying a static reference to a deployed piece of code, said deployed piece of code being the basis for functioning of the network application;
	performing a simulated restoration of the network application and the plurality of components back to the first snapshot;
	based on the simulated restoration, determining a confidence level for recovering the network application and the plurality of components;
	storing, in a restoration reference repository:
		an iteration identifier identifying the first snapshot;
		a recoverability metric identifying the confidence level;

	monitoring the network application and the plurality of components, using the trace data repository, for any deviation in the environment behavior;
	detecting a deviation in the environment behavior of the network application of the plurality of components;
	in response to detecting the deviation, receiving a flag relating to the deviation;
	based on the received flag, identifying the deviation as intended or unwarranted; 
	determining that the deviation is unwarranted 
	upon determining that the deviation is unwarranted, , using the network application reference identifier, the network application and the plurality of components back to a previous version of the network application and the plurality of components, thereby removing the malicious software, said previous version being the most recent snapshot in which the recoverability metric is above a predetermined figure; and
	upon determining that the deviation is intended, storing the intended deviation in a log of verified intended deviations.

Claim 16: 
network application.

Claim 17: 
	The method of claim 15, wherein the stored snapshots are used to identify issues and their causes, associated with the network application and the plurality of components.

Claim 18: 
	The method of claim 15, wherein the stored snapshots are used to enhance the performance of a transmitted new application, such that an engine learns from the recorded environment behavior to simulate at least one new application and determine a suitable set of tools, components, code routines and/or environment for hosting the new application.

Claim 19: 
	The method of claim 15, wherein the stored snapshots are used to identify and determine a composite security breach exposure metric of an environment, said environment that includes the network application and the plurality of components, said composite security breach exposure metric corresponding to the sum of a plurality of security breach exposure metrics, each security breach exposure metric corresponding to one of the plurality components.

Claim 20: 
	The method of claim 15, wherein the stored snapshots are used to appropriately allocate resources within the network.
Allowable Subject Matter
Claims 1-20 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Independent claim 1 is allowable based on the presented in the application dated on August 27, 2019 and the examiner’s amendment dated on February 22, 2021.
Specifically, the independent claim 1 now recites limitations as follows:

“A method for machine-learned detection and removal of malicious software within a network, the method comprising:
	receiving a request for tracing a network application;
	allocating memory in a trace data repository for tracing the network application;
	recording, within the trace data repository, environment behavior of:
		the network application; and
		a plurality of network components that communicate with the network application, said network components comprising software layers, software dependencies, libraries and hardware dependencies;

	combining the unique identifiers into an application reference identifier, said application reference identifier comprising the combination of network components that communicates with the network application and the order in which the network application communicates with the network components;
	based on the recorded environment behavior, generating a baseline dataset within the trace data repository,
	scheduling a plurality of snapshots of the network application, each of the snapshots occurring at a predetermined periodic interval;
	capturing a first snapshot of the network application and the plurality of components, the first snapshot corresponding to one of the plurality of scheduled snapshots;
	storing the first snapshot in the trace data repository;
	monitoring the network application and the plurality of components, using the stored snapshots and the baseline dataset, for any deviation in the environment behavior;
	detecting a first deviation in the environment behavior of the network application or the plurality of components;
	in response to detecting a first deviation, capturing a second snapshot of the network application and the plurality of components, the second snapshot being inconsistent with the plurality of scheduled snapshots;

	receiving a flag from the one or more stakeholders relating to the first deviation, the flag identifying the first deviation as intended or unwarranted; 
	detecting a second deviation included in the network application or the plurality of components;
	identifying a second deviation as intended  or unwarranted based on the 
	upon determining that the second deviation is unwarranted, and, therefore, is directed to malicious software, reverting, using the network application reference identifier, the network application and the plurality of components back to a previous version of the network application and the plurality of components, thereby removing the malicious software; and
	upon determining that the second deviation is intended, storing the intended deviation in a log of verified intended deviations”.

The reference by Dokey et al. (US PGPUB. # US 2015/0082428) discloses, In FIG. 2, the activity monitor 204 in the control plane 202 might determine that a change in software version is being detected on hosts in one or more of the host groups 208, 210, 212. This change can be compared to the baseline to determine whether the behavior is an expected or "good" behavior as indicated in the baseline. If the baseline does not indicate that the behavior is acceptable, the behavior can be (Fig. 2, ¶23). A baseline can take any of a number of forms and can include a combination of a number of (¶26-¶27). Referring again to FIG. 2, a team might bring a new host 214 online. In response, hosts 216 of a certain type might begin (¶31). FIG. 4 illustrates an example process 400 for generating and updating a baseline that can be used in accordance with various embodiments. It should be understood that for this and other processes discussed herein that there can be additional, fewer, or alternative steps performed in similar or alternative orders, or at least partially in parallel, within the scope of the various embodiments (Fig. 4, ¶38-¶39). FIG. 5 illustrates an example process 500 for using such a baseline or baseline model to determine whether observed behavior is acceptable or expected behavior in accordance with various embodiments. In this example, a fleet of machines (or other such grouping of electronic resources) is monitored 502 as discussed or suggested herein. During the monitoring, a change in behavior, or new behavior, can be detected 504. As discussed, this can include various types of behavior, such as deployment or installation of software packages, configuration of various resources, communication among the various resources, and the like. Information for the behavior can be compared 506 against the baseline to determine if the behavior is listed as a "good" or otherwise acceptable or expected behavior. If it is determined 508 to be a good behavior, the behavior can be allowed 510 to continue and information for the behavior can be used to update the baseline as appropriate. If the behavior not indicated to be an acceptable behavior according to the baseline, for example, that detected behavior can be monitored 512 for at least a period of time to attempt to determine the extent, rate, and/or prevalence of the behavior. For example, a deployment or change in configuration can be monitored to attempt to determine the rate and/or pattern of the change, as well as the number of resources likely to be (Fig. 5, ¶40-¶41).
The reference by Anthony James Cochenour (US PGPUB. # US 2017/0230389) discloses, FIG. 7 is a flowchart of a method 700 for providing behavioral model based computing system security, in accordance with one or more embodiments. Method 700 begins with step 701 in which a processor such as processor 803, or a control platform or module such as the malware identification platform 103, implemented in chip set 800 discussed in FIG. 8, executes an instruction to generate a behavioral model configured to describe one or more interactions associated with protected data accessible by way of a computing device. (Fig. 7, ¶141-¶148). 
The reference by Sankaraman et al. (US PGPUB. # US 2014/0090072) discloses, FIG. 3 shows a method 300 for isolating a device associated with at least potential data leakage activity, based on user input, in accordance with one embodiment. As an option, the method 300 may be implemented in the context of the architecture and environment of FIGS. 1 and/or 2. Of course, however, the method 300 may be carried out in any desired environment. As shown, at least potential data leakage activity associated with a device is identified. See operation 302. In the context of the present description, at least potential data leakage activity refers to any activity where data becomes accessible to an unauthorized user or (Fig. 3, ¶19-¶27).
However, each of the references or reference from the updated search, at least, fails to teach or suggest the limitations regarding “……identifying each of the software layers, software dependencies, libraries and hardware dependencies using a unique identifier; combining the unique identifiers into an application reference identifier, said application reference identifier comprising the combination of network components that communicates with the network application and the order in which the network application communicates with the network components….transmitting the second snapshot as an alert to one or more stakeholders associated with the application;
	receiving a flag from the one or more stakeholders relating to the first deviation, the flag identifying the first deviation as intended or unwarranted; 
	detecting a second deviation included in the application or the plurality of components;
	identifying a second deviation as intended  or unwarranted based on the received flag 
	upon determining that the second deviation is unwarranted, and, therefore, is directed to malicious software, reverting the application and the plurality of components back to a previous version of the application 
None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 1 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claim 8 is an apparatus Claim of above method Claim 1, and therefore it is also allowed.
Claim 15 is also a method Claim of above method Claim 1, that recites additional steps, “a trace identification sequence identifying the application;
		an infra reference identifier identifying an environment setup of the application at the time of the first snapshot;
		an application span reference identifier identifying the plurality of components that  communicate with the application at the time of the first snapshot;
		a code reference identifying a static reference to a deployed piece of code, said deployed piece of code being the basis for functioning of the application;
	performing a simulated restoration of the application and the plurality of components back to the first snapshot;

Claims 2-7 depend on the allowed claim 1, and therefore, they are also allowed.
Claims 9-14 depend on the allowed claim 8, and therefore, they are also allowed.
Claims 16-20 depend on the allowed claim 15, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DARSHAN I DHRUV/Examiner, Art Unit 2498