DETAILED ACTION 
1.	This office action is in response to the communication filed on 02/05/2021.
2.	Claims 2-8, 10-12 and 18 has/have been cancelled.   
3.	Claim 30 has been added.
4.	Claims 1, 9, 13-17 and 19-30 are pending.         

Notice of Pre-AIA  or AIA  Status
5.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Response to Amendment
7.	Claim(s) 1 has/have been amended to address the claim objection(s).  The claim objection(s) is/are withdrawn.  

Response to Arguments
8.	Applicant’s arguments filed on 02/05/2021 have been fully considered, but they are not persuasive.
Applicant’s argument 1: Ding is non-analogous art.

Examiner’s response 1: In response to applicant's argument that Ding is nonanalogous art, it has been held that a prior art reference must either be in the field of applicant’s endeavor or, if not, then be reasonably pertinent to the particular problem with which the applicant was concerned, in order to be relied upon as a basis for rejection of the claimed invention.  See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992).  In this case, Ding discloses a method to monitor system calls performed by an application to identify deviations from expected behavior of the application (see Ding, paras. 12-14); therefore, Ding is non-analogous art with the claimed invention which discloses a method to monitoring system calls performed by an application to identify malicious software code associated with the application.

Applicant’s argument 2: Fiala and Ding do not disclose “a data analysis module that is executed by the processor to analyze monitoring data in light of previously stored data, to learn from the previously stored data and the monitoring data, and to generate an alert based on monitoring data”.

Examiner’s response 2: The examiner directs applicant’s attention to see Fiala, paras. 44-45, where a classifier unit (i.e. a data analysis module) is executed by the processor; see paras. 61-64, where the classifier unit receives observation(s), identify behavior(s), compares behavior(s) with a .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


9.	Claim(s) 1, 9, 13, 16-17, 19-20 and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fiala et al. (US 20150150130 A1) in view of Ding et al. (US 20100100774 A1). 
Regarding claim 1:
Fiala discloses a system for identifying and analyzing system calls to identify potentially malicious software code, the system comprising: 
a processor comprising a performance monitoring unit and configured to run an operating system, the operating system comprising a kernel (see Fiala, ;  
a system call monitoring module, executed by the processor, for configuring the performance monitoring unit to identify a system call to the kernel, the performance monitoring unit further configured to generate monitoring data from the system call [that comprises any combination of information about a path to a file to be accessed by the system call, a memory address or range of addresses to be accessed by the system call, information about a socket that is being used by the system call in order to send or receive data, as well as history of system calls in order to monitor for specific sequences of system calls] (see Fiala, paras. 44-47, where a behavior analyzer unit, executed by the processor, comprises a behavior observer unit (i.e. performance monitoring unit) monitoring/collecting information (e.g. file system activity including accessing to a file for deleting, reading, writing, or changing file permission) pertaining to a system call (i.e. a system call encapsulating/containing system call instruction that generates the system call is identified/determined to be observed, monitored and/or collected information), filtering collected information, and generating observation(s) (i.e. monitoring data) based on the filtered information); and
a data analysis module, executed by the processor, to analyze the monitoring data in light of previously [stored] data, to learn from the previously [stored] data and the monitoring data, and to generate an alert based on the monitoring data, the alert indicating that the system call was generated by potentially malicious software code (see Fiala, paras. 44-45, where a classifier unit (i.e. a data analysis module) is executed by the processor; see paras. 61-64, where the classifier unit receives observation(s), identify behavior(s), compares behavior(s) with a behavior/classifier model (i.e. previously data) to determine whether a behavior is malicious, and notifies about an identified malicious behavior; see para. 67 where a malicious behavior is detected to be associated with a system call made by a malicious application).
Fiala does not, but Ding discloses:  
the system call that comprises any combination of information about a path to a file to be accessed by the system call, a memory address or range of addresses to be accessed by the system call, information about a socket that is being used by the system call in order to send or receive data, as well as history of system calls in order to monitor for specific sequences of system calls (see Ding, para. 78, where, in addition to information about accessing a file and returning a value, system call(s) of an application is/are monitored to collect information about a socket used by the system call(s) in order to monitor a sequence of system calls for constructing a system call graph);
previously stored data (see Ding, abstract and para. 90, where a call graph of an application is compared with a call graph of stored non-faulty runtime signature(s) (i.e. previously stored data)).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Fiala's invention by enhancing it for the system call that comprises any combination of 

Regarding claim 17:
	See similar rejection to claim 1.

Regarding claims 9 and 19:
Fiala as modified discloses:
a malware counter-attack module, executed by the processor, for receiving the alert and performing an action involving the potentially malicious software code (see Fiala, paras. 44-45, where an actuator unit (i.e. a malware counter-attack module) executed by the processor, see paras. 64, 67, where the actuator unit receives a notification from the classifier unit, and performs an action to heal, cure, isolate, or otherwise fix the identified malicious problem associated with a software application performing a system call).

Regarding claims 13 and 20:
Fiala as modified discloses:
wherein the action comprises suspending the potentially malicious code from being further executed by the processor (see Fiala, para. 7, where an application, i.e. the potentially malicious code, is prevented from executing).

Regarding claims 16 and 23:
Fiala as modified discloses:
wherein the action comprises instructing the kernel to ignore the system call (see Fiala, para. 67, where an application’s malicious operations associated with the application’s system call is/are terminated and/or prevented from execution).

10.	Claim(s) 14 and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fiala, Ding, and further in view of Shevchenko (US 20090049550 A1).
Regarding claims 14 and 21:
Fiala as modified discloses:
wherein the action comprises [deleting the potentially malicious code] (see Fiala, para. 7, where the application associated with malicious behavior is blocked or terminated from executing).
Fiala as modified does not, but Shevchenko discloses:
deleting the potentially malicious code (see Shevchenko, para. 26, where a file associated with a malicious process is deleted, i.e. delete the file comprising potentially malicious code performing a malicious process).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify .

11.	Claim(s) 15 and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fiala, Ding, and further in view of Swartz et al. (US 20070180509 A1).
Regarding claims 15 and 22:
Fiala as modified discloses:
wherein the action comprises [adding the potentially malicious code to a list of code to not be executed by the processor] (see Fiala, para. 67, where an application’s malicious operations associated with the application’s system call is/are terminated and/or prevented from execution).
Fiala as modified does not, but Swartz discloses:
adding the potentially malicious code to a list of code to not be executed by the processor (see Swartz, paras. 138, 165, 145-147 where a signature of a suspected malicious software/program is calculated, and a blacklist is updated with the signature of the suspected malicious software/program to prevent the execution of malicious software/programs).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Fiala-Ding's invention by enhancing it for adding the potentially malicious code to a list of code to not be executed by the processor, as taught by Swartz, in order to prevent execution of malicious programs based on the blacklist.

12.	Claim(s) 24 and 27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fiala, Ding, and further in view of Teruya et al. (US 20130332932 A1).
Regarding claims 24 and 27:
Fiala as modified does not, but Teruya discloses:
wherein the system call comprises a supervisor call instruction (see Teruya, para. 3, where a system call is a supervisor call, i.e. a supervisor call instruction).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Fiala-Ding's invention by enhancing it so that the system call comprises a supervisor call instruction, as taught by Teruya, in order to confirm an access right of a calling process (see Teruya, para. 3).

13.	Claim(s) 25, 28 and 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fiala, Ding, and further in view of Richter et al. (US 5481684 A).
Regarding claims 25 and 28:
Fiala as modified does not, but Richter discloses:
wherein the system call comprises a FAR branch (see Richter, col. 6, lines 28-37, where an operating system call causes a far jump to make a control transfer to a different segment. In other words, the operating system call comprises a far branch).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify 

Regarding claim 30:
	See similar rejection to claim 25 (i.e., claim 1 and claim 25).

14.	Claim(s) 26 and 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fiala, Ding, and further in view of Russello et al. (US 20140137184 A1).
Regarding claims 26 and 29:
Fiala as modified does not, but Russello discloses:
wherein the system call comprises an Mprotect or VirtualProtect instruction (see Russello, para. 324, where a sytem call is an Mprotect function).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Fiala-Ding's invention by enhancing it so that the system call comprises an Mprotect or VirtualProtect instruction, as taught by Russello, in order to monitoring system calls to the kernel made by a mother process to detect the launching of a new process in the Linux layer corresponding to a new application or part of an application (see Russello, para. 19).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID, can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/HUAN V DOAN/Primary Examiner, Art Unit 2437