Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
   
            DETAILED ACTION

1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 25 January 2021 has been entered.	

2.	Claims 1, 3, 5, 7-9, 15-17 and 20-29 remain Pending and Rejected.

               Responses to the Argument

3.	The applicant’s arguments filed on 25 January 2021 are moot in view of new ground of rejection rendered.	

 Claim Rejections - 35 USC § 103
	
4.	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459  (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3, 5, 7-9, 15-17 and 20-29 are rejected under 35 U.S.C §103(a) as being unpatentable over Roundy et al. (US Patent No. 10169584), hereinafter Roundy and in view of Rivera et al. (US Patent No. 9065849), hereinafter Rivera.

In regard to claim 1: 
collecting over a network a plurality of identifiers for a plurality of files, wherein each file of the plurality of files is installed on at least one of a plurality of end-point devices (EPDs) of the network (Roundy, col 8, lines 8-21, col 6 , lines 45-54).
             determining that a first file installed on a first EPD of the plurality of EPDs and a second file installed on a second EPD of the plurality of EPDs have a same identifier (Roundy, col 2, lines 8-15).
              retrieving a time pointer at which the second file was installed on the second EPD (Roundy, col 2, lines 16-26).
              searching the network for a communication between the first EPD and the second EPD that was executed prior to the time pointer (Roundy, col 6, lines 23-54)
           Roundy does not explicitly suggest, determining that the first file has a prevalence that satisfies a prevalence threshold based, at least in part, on results of a plurality of 
              Roundy does not explicitly suggest, and, indicating that the first file is a suspicious file for an advanced persistent threat attack based, at least in, on the determination that the prevalence of the first file satisfies the prevalence threshold; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 9, lines 13-30).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of determining file that is installed in multiple networked device of Roundy with the determining prevalence level a file disclosed in order to verify of the integrity of operating systems and device drivers on one or more devices, stated by Rivera at col 7, lines 60-61.

In regard to claim 3:
              Roundy does not explicitly suggest wherein determining that the first file of the plurality of files has a prevalence that satisfies the prevalence threshold comprises determining that the first file has a prevalence below the prevalence threshold ; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 9, lines 13-30).
Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 1.

In regard to claim 5:

Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 1.

In regard to claim 7:
           Roundy does not explicitly suggest, further comprising: continuously monitoring information associated with each file of the plurality of files with prevalence that satisfies the prevalence threshold; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 9, lines 13-30).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 1.

In regard to claim 8:
Roundy does not explicitly suggest, further comprising: generating a risk score based on the determination that the first file of is a suspicious file; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 20, lines 1-4).
Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 1.

In regard to claim 9:
           An interface to a network (Roundy, col 14, lines 16-18).

a memory coupled to the processing unit, the memory containing therein instructions that when executed by the processing unit cause (Roundy, col 13, lines 17-24)
the apparatus to collect over the network plurality of identifiers for a plurality of files, wherein each file of the plurality of files is installed on at least one of a plurality of end-point devices (EPDs) of the network (Roundy, col 8, lines 8-21, col 6 , lines 45-54).
              Determine  that a first file installed on a first EPD of the plurality of EPDs and a second file installed on a second EPD of the plurality of EPDs have a same identifier (Roundy, col 2, lines 8-15).
              retrieve a time pointer at which the second file was installed on the second EPD (Roundy, col 2, lines 16-26).
             search the network for a communication between the first EPD and the second EPD that was executed prior to the time pointer (Roundy, col 6, lines 23-54). AMENDMENT AND RESPONSE UNDER 37 CFR §1.114Page 4 Application Number: 16/014,632Dkt: 114.PALO-00575-US-NP Filing Date: June 21, 2018
               Roundy does not explicitly suggest, determine that the first file has a prevalence that satisfies a prevalence threshold based, at least in part, on results of a plurality of searches for communications between the first EPD and a subset of the plurality of EPDs, wherein the plurality of searches includes the search for a communication between the first EPD and the second EPD; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 10, lines 4-21).
           Roundy does not explicitly suggest, and, indicate that the first file is a suspicious file for an advanced persistent threat attack based, at least in, on the determination that 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of determining file that is installed in multiple networked device of Roundy with the determining prevalence level a file disclosed in order to verify of the integrity of operating systems and device drivers on one or more devices, stated by Rivera at col 7, lines 60-61.

In regard to claim 15:
             Roundy does not explicitly suggest, wherein the instructions comprise instructions executable by the processing unit to cause the apparatus to continuously monitor information associated with files in the plurality of files having prevalence satisfying the prevalence threshold; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 9, lines 13-30).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 9.

In regard to claim 16:
               Roundy does not explicitly suggest, wherein the instructions comprise instructions executable by the processing unit to cause the apparatus to generate a risk score based on an indication that a file of the plurality of files is a suspicious file; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 10, lines 22-43).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 9.


In regard to claim 17:
              determine  that a first file installed on a first end- point device (EPD) and a second file installed on a second EPD have a same identifier, wherein the first EPD and second EPD are on a network comprising a plurality of EPDs (Roundy, col 2, lines 8-15).
               retrieve a time pointer at which the second file was installed on the second EPD (Roundy, col 2, lines 16-26). 
               search the network for a communication between the first EPD and the second EPD that was executed prior to the time pointer (Roundy, col 6, lines 23-54)
                Roundy does not explicitly suggest, determine that the first file has a prevalence that satisfies a prevalence threshold based, at least in part, on results of a plurality of search for communications between the first EPD and a subset of the plurality of EPDs, wherein the plurality of searches includes the search for a communication between the first EPD and the second EPD; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 10, lines 4-21).
         Roundy does not explicitly suggest, and, determine that the first file is suspicious for an advanced persistent threat attack based, at least in part, on the determination that the prevalence of the first file satisfies the prevalence threshold; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 9, lines 13-30).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of determining file that is installed in multiple networked device of Roundy with the determining prevalence level a file disclosed in 

In regard to claim 20:
          Roundy does not explicitly suggest, wherein the second file was installed on the second EPD after the first file was installed on the first EPD; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 6, lines 36-44, col 8, lines 22-36).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 17.

In regard to claim 21:
wherein determining prevalence of the first file comprises determining installations of one or more files across the plurality of EPDs (Roundy, col 2, lines 8-15).

In regard to claim 22:
wherein indicating that the first file is a suspicious file for an advanced persistent threat attack is  based, at least in part, on one or more computerized investigation rules (CIRs) (Roundy, col 9, lines 13-30).

In regard to claim 23:
                 wherein the one or more CIRs are based, at least in part, on  at least one of technical personnel and departments associated with the plurality of EPDs (Roundy, col 4, lines 13-25).

claim 24:
Roundy does not explicitly suggest, wherein the instructions executable by the processing unit to cause the apparatus to determine prevalence first file comprise instructions to determine, installations of one or more files across the plurality of EPD; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 10, lines 23-34 ).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 17.

In regard to claim 25:
Roundy does not explicitly suggest, wherein the instructions executable by the processing unit to cause the apparatus to indicate that a file is a suspicious file for an advanced persistent threat attack comprise instructions to analyze information about installation of the file in the network according to one or more computerized investigation rules (CIRs); however in a same field of endeavor Rivera discloses this limitation (Rivera, col 8, lines 17-36).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 17.

In regard to claim 26:
wherein the information about the installation of the file in the network includes at least one of spreading schema and installation times (Roundy, col 8, lines 8-21).

In regard to claim 27:


In regard to claim 28:
Roundy does not explicitly suggest, wherein the program code executable by the processor to cause the processor to determine that the first file isAMENDMENT AND RESPONSE UNDER 37 CFR §1.114Page 7 Application Number: 16/014,632Dkt: 114.PALO-00575-US-NP Filing Date: June 21, 2018suspicious for an advanced persistent attack comprises program code executable by the processor to cause the process to determine that the first file is suspicious for an advanced persistent attack based, at least in part, on one or more computerized investigation rules; ; however in a same field of endeavor Rivera discloses this limitation (Rivera, col 9, lines 13-30).
 Same motivation for combining the respective features of Roundy and Rivera applies herein, as discussed in the rejection of claim 17.

In regard to claim 29:
having further program code stored thereon that when executed by the processor causes the processor to identify the first file as a root cause for malware invading the network based, at least in part, on a determination that the first file caused spreading of the second file (Roundy, col 8, lines 1-27).

  Conclusion

6.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier . 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (in USA or CANANDA) or 571-272-1000.

/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890