DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ismael et al. (US Pub. 20160191550 A1).

Ismael discloses the following limitations:

1. A system comprising: at least one processor; and memory storing instructions that, when executed by the at least one processor, causes the system to perform a set of operations, the set of operations comprising : 
generating, by a threat processor, an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during execution of the set of software instructions by the at least one processor (para. 16, 41, 48- the monitors may include breakpoints within code of the object (process) being monitored. The breakpoints may be configured to trigger capability violations used to gather or monitor the run-time behaviors. For instance, a breakpoint may be inserted into a section of code of the process (e.g., operating system process) running in the operating system kernel 230. When the code executes, e.g., in response to the process accessing the object, an interception point may be triggered and a capability violation generated to enable monitoring of the executed code. In other words, an exception may be generated on the breakpoint and execution of the code by the process may be tracked by the microvisor 300 and VMM 0, where the exception is a capability violation); 
registering, by the threat processor, an exception handler to handle the exception associated with by the inspection point (para. 48- the monitors may include breakpoints within code of the object (process) being monitored. The breakpoints may be configured to trigger capability violations used to gather or monitor the run-time behaviors. For instance, a breakpoint may be inserted into a section of code of the process (e.g., operating system process) running in the operating system kernel 230. When the code executes, e.g., in response to the process accessing the object, an interception point may be triggered and a capability violation generated to enable monitoring of the executed code. In other words, an exception may be generated on the breakpoint and execution of the code by the process may be tracked by the microvisor 300 and VMM 0, where the exception is a capability violation); 
(para. 49- static analysis results and dynamic analysis results may be stored in memory 220 (e.g., in system logger 470) and provided (e.g., as inputs via VMM 0) to the BALE 410, which may provide correlation information (e.g., as an output via VMM 0) to the classifier 420. Alternatively, the results or events may be provided or reported to the MDS 200.sub.M for correlation. The BALE 410 may be embodied as a rules-based correlation engine illustratively executing as an isolated process (module) disposed over the microvisor 300 within the architecture 400. In accordance with the malware detection endpoint architecture 400, the BALE 410 is illustratively associated with (bound to) a copy of PD 0 (e.g., PD R). The microvisor 300 may copy (i.e., "clone") the data structures (e.g., execution contexts, scheduling contexts and capabilities) of PD 0 to create PD R for the BALE 410, wherein PD R has essentially the same structure as PD 0 except for the capabilities associated with the kernel resources); 
evaluating the context record to determine if an exploit is present; and when it is determined that an exploit is present (para. 50- In an embodiment, the BALE 410 may be configured to operate on correlation rules that define, among other things, sequences of known malicious events (if-then statements with respect to, e.g., attempts by a process to change memory in a certain way that is known to be malicious). The events may collectively correlate to malicious behavior. As noted, a micro-VM may be spawned to instrument a suspect process (object) and cooperate with the microvisor 300 and VMM 0 to generate capability violations in response to interception points, which capability violations are provided as dynamic analysis result inputs to the BALE 410. The rules of the BALE 410 may then be correlated against those dynamic analysis results, as well as static analysis results, to generate correlation information pertaining to, e.g., a level of risk or a numerical score used to arrive at a decision of (deduce) maliciousness),
 performing at least one corrective action for the exploit (para. 52- A reporting logic engine 450 may execute as a user mode process in the operating system kernel 230 that is configured to generate an alert for transmission external to the endpoint (to, e.g., one or more other endpoints 200.sub.E, a management appliance, or MDS 200.sub.M) in accordance with "post-solution" activity). 

2. The system of claim 1, wherein generating the inspection point comprises performing at least one action selected from the group of actions consisting of: altering an application programming interface to incorporate an instruction causing the exception; setting a process breakpoint at the at least one processor to generate the exception; setting a hardware breakpoint at the at least one processor to generate the exception; and removing at least one of execute access, read access, and write access to a memory page of the memory. (para. 48- the monitors may include breakpoints within code of the object (process) being monitored. The breakpoints may be configured to trigger capability violations used to gather or monitor the run-time behaviors. For instance, a breakpoint may be inserted into a section of code of the process (e.g., operating system process) running in the operating system kernel 230)

3. The system of claim 2, wherein the instruction is one of a privileged instruction, a breakpoint instruction, or an invalid instruction. (para. 48- the monitors may include breakpoints within code of the object (process) being monitored. The breakpoints may be configured to trigger capability violations used to gather or monitor the run-time behaviors. For instance, a breakpoint may be inserted into a section of code of the process (e.g., operating system process) running in the operating system kernel 230)


4. The system of claim 1, wherein the context record comprises at least one of: a call stack associated with the set of software instructions; or a record of one or more registers when the set of software instructions encountered the inspection point. (para. 30, 42- the state of the process may be realized through the contents of the execution context 320 (e.g., CPU registers, stack, program counter, and/or allocation of memory) executing at the time of each capability violation.)

5. The system of claim 4, wherein evaluating the context record comprises evaluating at least one of: the call stack, as identified by a call stack pointer of the context record; the record of the one or more registers; or decompiled code associated with one or more locations in the memory that are associated with the record of the one or more registers. (para. 30)

(para. 48-49)

7. The system of claim 1, wherein evaluating the context record comprises using a kernel-mode threat processor to determine if an exploit is present. (Fig. 4, microvisor in kernel space)

Regarding claims 8-20, the subject matter claimed pertain to method steps that correspond to the system elements of claims 1-7 and thus rejected for the same analysis.  Implementing the system would have necessitated carrying through the method steps as recited.    

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM A CORUM JR whose telephone number is (303)297-4234.  The examiner can normally be reached on Mon. - Fri. 8 AM - 5 PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM A CORUM JR/            Examiner, Art Unit 2433         

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433