DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	Applicant’s response filed on December 21, 2020 have been considered.  Claims 1, 3, 8-9, 11, and 16-19 have been amended. Claims 1-20 are pending.

Drawings
3.	Fig. 4 replacement sheet has been received. 

Claim Rejections - 35 USC § 103

4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-7, 9-15, and 17-20  are rejected under 35 U.S.C. 103 as being unpatentable over Ristovski et al. (U.S. 2013/0333056 A1), hereinafter “Ristovski”, in view of Brezikski (U.S. 9,348,742 B1), further in view of Russello (U.S. 2015/0332043 A1).
Referring to claims 1, 9, 17:
	i.	Ristovski teaches:
                       A method of de-elevating a process created in a computing device of a computer system, comprising:
            detecting a user login within a login session of the computing device in the computer system, the login session having a default security context (see Ristovski, fig. 3, 302 ‘associate default set of privileges with user-ids’; [0012] ‘The set of privileges assigned to a process may be based on the set of privileges associated with the user-id of the owner of the process [i.e., detecting a user identifier login with a login session ].  session ID [i.e., the login session ]’);
            creating a de-elevated security context for the login session user identifier, wherein the de-elevated security context has fewer privileges than the default security context (see Ristovski, fig. 3, 304 ‘create process and assign set of privileges based on user-id of owner’, 308 ‘modify set of privileges assigned to process’); 
            detecting a process to be created within the login session (see Ristovski, fig. 3, 304 ‘create a process’; [0017] ‘The child process may be created using any mechanism provided by the operating system including, for example, the fork( ) and spawn( ) mechanisms available in UNIX.RTM.-like operating systems.’);
           determining that whether the process is potentially malicious (see Ristovski, [0014] ‘Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.’); 
             launching the process using the default security context when determining that the process is not potentially malicious (see Ristovski, [0014] ‘Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.’); and
           launching the process using the de-elevated security context when determining that the process is potentially malicious (see Ristovski, [0014] ‘Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.’). 
	However, Ristovski does not explicitly disclose comparing an intended state and a digital profile of the computing device.
	Ristovski disclose detecting a process to be created (see Ristovski, fig. 3, 304 ‘create a process’; [0017] ‘The child process may be created using any mechanism provided by the operating system including, for example, the fork( ) and spawn( ) mechanisms available in UNIX.RTM.-like operating systems.’).  However, Ristovski does not explicitly disclose detecting a process to be created prior to the process actually being created.
ii.	Brezinski discloses comparing an intended state and a digital profile of the computing device (see Brezinski, col. 2, line 51 ‘Once a baseline memory 
allocation is established, the performance data collected for executing processes may be compared to the baseline.  A process that exhibits an anomalous memory allocation [i.e., an intended state ] compared to the baseline [i.e., the digital profile of the computing device ] may be designated as a potential security risk and flagged for further analysis to determine whether malicious code has been injected into the process.’; col. 13, line 18 ‘a user authentication module’) 
	iii.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Brezenski into the system of Ristovski for comparing an intended state and a digital profile of the computing device.  Ristovski teaches "a process may be created with a default set of 
privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).  Therefore, Brezenski’s teaching could enhance the system of Ristovski, because Brezenski teaches “identifying potential security risks based on detecting an anomalous memory allocation during one or more executions of a 
process.” (see Brezinski, col. 1, line 66)
	iv.	Russello discloses detecting a process to be created prior to the process actually being created (see Russelo, fig. 12 discloses a timeline for creating a process, 402 ‘(early) link security policy to new process’, 400 ‘new application launch instruction [i.e., detecting a process to be created prior to the process actually being created ]’, 404 ‘mother process forks new child process [i.e., where ‘mother process forks a new child process’ corresponding to ‘the process actually being created’ ]’).
v.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Russelo into the system of Ristovski for detecting a process to be created prior to the process actually being created.  Ristovski teaches "a process may be created with a default set of 

Referring to claims 2, 10, 18:
		Ristovski, Brezinski, and Russelo further disclose:
           launching a helper process with a special security context that enables the helper process to create new security contexts; obtaining a copy of the default security context; and creating the de-elevated security context using the copy of the default security context (see Ristovski, [0016] ‘The result of modifying the set of privileges may be to reduce the abilities for which the process is authorized (e.g. allowed) to a sub-set of the previously assigned set of privileges.’)
Referring to claims 3, 11, 19:
		Ristovski, Brezinski, and Russelo further disclose:
           	wherein the special security context is a process enabled to create or cause other processes, including the helper process, to create security contexts (see Ristovksi, [0014] ‘the set of privileges [i.e., security context ] assigned to a process may be modified responsive to a request [i.e., creating ].’).
Referring to claims 4, 12, 20:
		Ristovski, Brezinski, and Russelo further disclose:
           creating the de-elevated security context by removing an association of the copy of the default security context with an administrative security group, causing a removal of privileges associated with the administrative security group from the copy of the default security context (see Ristovski, [0011] ‘Some systems may include one or 
more user-ids that are designated as system administrator users (a.k.a.  root user, root, or sys admin) that may be given all possible privileges.’).
Referring to claims 5, 13:
		Ristovski, Brezinski, and Russelo further disclose:
           duplicating the de-elevated security context to a security agent running within the computing device (see Ristovski, [0012] ‘The process may be assigned the set of privileges associated with the owner [i.e., duplicating the de-elevated security context ] of the process at the time the process is created.’).
Referring to claims 6, 14:
		Ristovski, Brezinski, and Russelo further disclose:
                     the intended state of the computing device is created by a security manager by observing at least one of the computing device or one or more other computing devices in the computer system during a learning stage, and the digital profile of the computing device includes information about the process (see Brezinki, col. 2, line lines 51-58 ‘supervised or unsupervised machine learning techniques such as clustering or classification.  Once a baseline memory allocation is established, the performance data collected for executing processes may be compared to the baseline.  A process that exhibits an anomalous memory allocation [i.e., the intended state ] compared to the baseline [i.e., the digital profile ] may be designated as a potential security risk’).
 	           It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Brezenski into the system of Ristovski for comparing an intended state and a digital profile of the computing device.  Ristovski teaches "a process may be created with a default set of 
privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).  Therefore, Brezenski’s teaching could enhance the system of Ristovski, because Brezenski teaches “identifying potential security risks based on detecting an anomalous memory allocation during one or more executions of a 
process.” (see Brezinski, col. 1, line 66) 
Referring to claims 7, 15:
		Ristovski, Brezinski, and Russelo further disclose:
           retrieving the intended state and the digital profile of the computing device from a manager database (see Ristovski, [0023] ‘A default set of privileges… stored in … user-id metadata repository’).

6.	Claims 8, and 16  are rejected under 35 U.S.C. 103 as being unpatentable over Ristovski et al. (U.S. 2013/0333056 A1, in view of Brezikski (U.S. 9,348,742 B1), in .
Referring to claims 8, 16:
	i.	Ristovski, Brezinski, and Russelo further disclose:
                      determining, based on the comparing, that the process corresponds to a deviation from the intended state of the computing device (see Brezinski, col. 13, line 60 ‘identify deviation from a norm or average’).
                      They further disclose when the process is known malicious, preventing launching of the process (see Brezinski, col. 6, line 38 ‘preventing the process 104 from launching on one or more host computing devices 102,’); and
		launching the process using the default security context when determining the process is not known malicious, and not potentially malicious (see Ristovski, [0014] ‘Accordingly a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.’). 
                      It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Brezenski into the system of Ristovski for determining, based on the comparing, that the process corresponds to a deviation from the intended state of the computing device, and for preventing launching of the process when the process is known maliciouis.  Ristovski teaches "a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).  Therefore, Brezenski’s teaching could enhance the system of Ristovski, because Brezenski teaches “identifying potential security risks based on detecting an anomalous memory allocation during one or more executions of a process.” (see Brezinski, col. 1, line 66)  
		However, they do not explicitly disclose consulting with a reputation checking system.

           iii.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Rebelo into the system of Ristovski to include a reputation server.  Ristovski teaches "a process may be created with a default set of privileges and subsequently the privileges may be modified to include only a sub-set of the default privileges thereby mitigating the risk of malicious exploitation of the process through attack.” (see Ristovski, [0014]).  Therefore, Rebelo’s teaching could enhance the system of Ristovski, because Rebelo teaches “The response code may include … a reputation score, from which computing device 110 may determine an appropriate action.” (see Rebelo, col. 13, lines 60-67).

Response to Arguments
	7.	Applicant’s arguments filed on December 21, 2020 have been considered.  Independent claims have been amended to include new limitations. However, upon further consideration, a new ground(s) of rejection is be made in view of Russelo.  Applicant’s arguments are moot due to the new ground(s) of rejection. 

Conclusion

8.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Mital; Vijay et al. (US 20110185338 A1) disclose design-time business process validations within data context;
	(b)	Maes; Stephane Herman (US 20160254961 A1) disclose execution of a topology;
	(c)	Tran; Oai et al. (US 20120101856 A1) disclose method and system for processing of data related to insurance;
	(d)	Robinson; Ian et al. (US 20080040398 A1) disclose Propagating Contexts Between a First and Second System;


 9.         Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
           A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.  
                      Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571)272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
            If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the 


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        
/TAE K KIM/Primary Examiner, Art Unit 2492