Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
   
           DETAILED ACTION
	
1.	This action is in response to the amendment and argument field on 20 November 2020.
2.	Claims 26-27, 29-30, 35-36, 38-3942, and 44-45 have been amended.
3.	Claims 26-45 remain Pending and Rejected.
		
                Responses to the Argument

4.	The applicant’s arguments filed on 20 November 2020 are moot in view of new ground of rejection rendered.	

                                               Claim Rejections - 35 USC § 102

5.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the 


Claims 26-45 are rejected 35 U.S.C §102 (a)(2) as being anticipated by Benjamin Trumbull (US Patent No. 8312249), hereinafter Trumbull.
In regard to claim 26: 
receive a code address, wherein the code address is an address of a memory location containing executable code (Trumbull, col 6, lines 33-49, col 5, lines 8-20).
determine whether the code address is backed by an executable process (Trumbull, col 18, lines43-45-51, Fig. 4-5).
 determine, based on a determination that the code address is backed by the executable process, whether the executable process is signed by a trusted source (Trumbull, Fig.4-5, step 501, 503, 511, col ).
determine, based on a determination that the executable process is not signed by a trusted source, whether a hash of the executable process matches a trusted hash (Trumbull, Fig.7, step 701-723).  
and classify the executable code as trusted and validated based on the determination that the executable process is signed by the trusted source or matches the trusted hash (Trumbull, col 10, lines 1-7, col 8, lines 1-8, col 7, lines 56-67), wherein there two types/classified/privileged/non-privileged ( valid and invalid) codes are determined, 
In regard to claim 27: 

In regard to claim 28: 
further comprising one or more instructions that, when executed by the processor, further cause the processor to: determine, based on the determination that the code address is not backed by the executable process, whether the code address is located in a tracked memory region (Trumbull, col 3, lines 49-67).
In regard to claim 29: 
further comprising one or more instructions that, when executed by the processor, further cause the processor to: classify, based on a determination that the executable code is not located in the tracked memory region, the code address as benign and not validated (Trumbull, col 4, lines 29-47).
In regard to claim 30: 
further comprising one or more instructions that, when executed by the processor, further cause the processor to: classify, based on a determination that the executable code is located in the tracked memory region, the code address as untrusted and not validated (Trumbull, col 18, lines 8-12).
In regard to claim 31: 

In regard to claim 32: 
further comprising one or more instructions that, when executed by the processor, further cause the processor to: determine whether the hash of the executable process is unaltered and within expected ranges (Trumbull, col 2, lines 56-57).
In regard to claim 33: 
further comprising one or more instructions that, when executed by the processor, further cause the processor to: determine whether an in memory image of the executable process matches an on disk image of the executable process (Trumbull, col 1, lines 56-58).
In regard to claim 34: 
further comprising one or more instructions that, when executed by the processor, further cause the processor to: compare behavioral events with in memory behavioral events to determine whether the executable process shows evidence of tampering; (Trumbull, col 7, lines 55-67).
In regard to claim 35: 
memory (Trumbull, ¶73).

determine whether the code address is backed by an executable process (Trumbull, col 18, lines43-45-51, Fig. 4-5).
determine, based on a determination that the code address is backed by the executable process, whether the executable process is signed by a trusted source (Trumbull, Fig.4-5, step 501, 503, 511).
determine, based on a determination that the executable process is not signed by a trusted source, whether a hash of the executable process matches a trusted hash (Trumbull, Fig.7, step 701-723).  
and classify the executable code as trusted and validated based on the determination that the executable process is signed by the trusted source or matches the trusted hash (Trumbull, col 10, lines 1-7, col 8, lines 1-8, col 7, lines 56-67), wherein there two types/classified/privileged/non-privileged ( valid and invalid) codes are determined, 
In regard to claim 36: 
wherein the processor is further configured to: classify the executable code as untrusted and not validated based on the determination that the executable process is not signed by the trusted source and does not match the trusted hash (Trumbull, col 7, lines 56-67).
claim 37: 
wherein the processor is further configured to: determine, based on the determination that the executable code is not backed by the executable process, whether the code address is located in a tracked memory region (Trumbull, col 3, lines 49-67).
In regard to claim 38: 
wherein the processor is further configured to: classify, based on a determination that the code address is not located in the tracked memory region, the executable code as benign and not validated (Trumbull, col 4, lines 29-47).
In regard to claim 39: 
wherein the processor is further configured to: classify, based on a determination that the code address is located in the tracked memory region, the executable code as untrusted and not validated(Trumbull, col 4, lines 29-47).
In regard to claim 40: 
wherein the processor is further configured to: identify the executable process (Trumbull, col 6, lines 33-50).
In regard to claim 41: 

determining, based on a determination that the code address is backed by the executable process, whether the executable process is signed by a trusted source (Trumbull, Fig.4-5, step 501, 503, 511, col ).
determining, based on a determination that the executable process is not signed by a trusted source, whether a hash of the executable process matches a trusted hash (Trumbull, Fig.7, step 701-723).  
and classifying the executable code as trusted and validated based on the determination that the executable process is signed by the trusted source or matches the trusted hash (Trumbull, col 10, lines 1-7, col 8, lines 1-8, col 7, lines 56-67), wherein there two types/classified/privileged/non-privileged ( valid and invalid) codes are determined,
In regard to claim 42: 
further comprising: classifying the executable code as untrusted and not validated based on the determination that the executable process is not signed by the trusted source and does not match the trusted hash (Trumbull, col 7, lines 56-67).
In regard to claim 43: 

In regard to claim 44: 
further comprising: classifying, based on a determination that the code address is not located in the tracked memory region, the executable code as benign and not validated (Trumbull, col 4, lines 29-47).
In regard to claim 45: 
further comprising: classifying, based on a determination that the code address is located in the tracked memory region, the executable code as untrusted and not validated (Trumbull, col 18, lines 8-12).

                            Conclusion	
	
6.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will 
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure (See form “PTO-892 Notice of reference cited).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONJUR RAHIM whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890\