Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/03/2021 has been entered.

Terminal Disclaimer
The terminal disclaimer filed on 06/17/2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US 8,869,270 patent and US 10,541,969 patent had been reviewed and was accepted.  The terminal disclaimer has been recorded.

EXAMINER’S AMENDMENT
(Authorized by Applicant)
Authorization for this examiner’s amendment was given in a telephone interview with Marc A. Sockol, Registration No. 40,823 on 02/23/2021.

Please, cancel claim 3 and amend claims 1, 12, 18 and 19 as follows:

1.	(Currently Amended) A security system configured to protect a mobile device from untrusted network data while the mobile device is roaming outside of a trusted network, the security system comprising: 
a security device configured to be directly connected to an external port of or installed in a mobile device, the security device comprising:
a routing device configured to receive untrusted network data intercepted from an untrusted network, the untrusted network data being sent to be processed by the mobile device, the intercepting and receiving occurring before a mobile device processor of the mobile device processes the untrusted network data; 
a security engine including security instructions operative to implement a security policy, the security instructions configured to provide in accordance with the security policy pre-runtime security protection from malicious or potentially malicious code in the untrusted network data without forcing a connection to a remote gateway; 
a dedicated security system processor dedicated to security functions and configured to execute the security engine, thereby enabling the security engine to receive the untrusted network data from the routing device, to evaluate the untrusted network data for violations of the security policy to identify the malicious or potentially malicious code in the untrusted network data in accordance with the security policy, to block the malicious or potentially malicious code from being provided to the mobile device, and to provide network data deemed safe to the routing device for transmission to the mobile device processor for processing, the network data deemed safe being at least a portion of the untrusted network data that was not identified as containing malicious or potentially malicious code in accordance with the security policy; and

dedicated storage accessible only by the dedicated security system processor, at least a portion of the security engine being stored in the dedicated storage.

12.	(Currently Amended) A method of protecting a mobile device from untrusted network data while the mobile device is roaming outside of a trusted network, the method comprising:
accessible only by the dedicated security system processor, the security device further including a security engine including security instructions operative to implement a security policy, at least a portion of the security engine being stored in the dedicated storage, the security instructions configured to provide in accordance with the security policy pre-runtime security protection from malicious or potentially malicious code in untrusted network data received from an untrusted source over an untrusted network without forcing a connection to a remote gateway;
the security engine being executed by the dedicated security system processor on the security system, the dedicated security system processor being dedicated to security functions, the executing the security engine assisting in causing the security system to perform the following steps:
receiving, by a routing device, particular untrusted network data intercepted from the untrusted network, the particular untrusted network data being sent to be processed by the mobile device, the intercepting and receiving occurring before a mobile device processor of the mobile device processes the untrusted network data;
using the security instructions to evaluate the particular untrusted network data for violations of the security policy to identify the malicious or potentially malicious code in the untrusted network data in accordance with the security policy; 
blocking the malicious or potentially malicious code from being provided to the mobile device; and
providing network data deemed safe to the routing device for transmission to the mobile device processor for processing, the network data deemed safe being at least a portion of the untrusted network data that was not identified as containing malicious or potentially malicious code in accordance with the security policy.


a security device configured to be directly connected to an external port of or installed in a mobile device, the security device comprising:
means for receiving untrusted network data intercepted from an untrusted network, the untrusted network data being sent to be processed by the mobile device, the intercepting and receiving occurring before a mobile device processor of the mobile device processes the untrusted network data; 
a security engine including security instructions operative to implement a security policy, the security instructions configured to provide in accordance with the security policy pre-runtime security protection from malicious or potentially malicious code in the untrusted network data without forcing a connection to a remote gateway; 
a dedicated security system processor dedicated to security functions and configured to execute the security engine, thereby enabling the security engine to receive the untrusted network data from the means for receiving, to evaluate the untrusted network data for violations of the security policy to identify the malicious or potentially malicious code in the untrusted network data in accordance with the security policy, to block the malicious or potentially malicious code from being provided to the mobile device, and to provide network data deemed safe to the means for receiving for transmission to the mobile device processor for processing, the network data deemed safe being at least a portion of the untrusted network data that was not identified as containing malicious or potentially malicious code in accordance with the security policy;

dedicated storage accessible only by the dedicated security system processor, at least a portion of the security engine being stored in the dedicated storage.

19.	(Currently Amended) A security system configured to protect a mobile device from untrusted network data while the mobile device is roaming outside of a trusted network, the security system comprising:

a dedicated security system processor dedicated to security functions;

dedicated storage accessible only by the dedicated security system processor;
a security engine including security instructions operative to implement a security policy when executed by the dedicated security system processor, at least a portion of the security engine being stored in the dedicated storage, the security instructions configured to provide in accordance with the security policy 
a routing device configured to receive particular untrusted network data intercepted from an untrusted network before the mobile device processor of the mobile device processes the particular untrusted network data, the particular untrusted network data being sent to be processed by the mobile device, the intercepting and receiving occurring before the mobile device processor processes the particular untrusted network data, the routing device further configured to forward the particular untrusted network data to the security engine, the routing device further configured to forward particular return network data received from the security engine to the mobile device for processing by the mobile device processor; 
the dedicated security system processor configured to execute the security engine, thereby causing the security engine to: 
receive the particular untrusted network data from the routing device, 
evaluate the particular untrusted network data for violations of the security policy to identify particular malicious or potentially malicious code in the particular untrusted network data in accordance with the security policy, 
block the particular malicious or potentially malicious code from being provided to the mobile device, and 
provide the particular return network data to the routing device for transmission to the mobile device for processing by the mobile device processor, 

REASONS FOR ALLOWANCE
Claims 1-2 and 4-19 are allowed. The following is an examiner’s statement of reasons for allowance: 
The closest prior art of record, Wang et al. US 7,894,480 discloses a data processing system that includes a host computer and a network interface card (NIC) connected to or integrated in the host computer; the NIC includes an embedded firewall at the network interface level to protect against inside and outside attacks on the security of the data processing system. The firewall uses filtering rules (policy) to determine whether the network data is transmitted to the host device processor, or is discarded. Data received from the network is routed to various NIC modules (including the firewall) as needed for e.g. parsing, further processing, and filtering. The NIC is implement as an application specific integrated circuit (ASIC). 
The prior art of record does not teach all the limitations of the independent claims 1, 12 and 18-19, and in particular does not teach the amended feature “dedicated storage accessible only by the dedicated security system processor, at least a portion of the security engine being stored in the dedicated storage” in combination with the other limitations recited by said claims. Wang does not describe the program storage on the NIC. The secondary reference (Ryan et al. US 2005/0109841) provides program storage inside a token that can be accessed from outside the token. For example (par. 137, 283) the host processor can program the security processor inside the token.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        2-25-2021