Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined 

Examiner’s Amendment 
In response to communication with applicant’s correspondent of record, Daniel Vaughan, Reg# 42,199, the application has been amended as follows: 
LISTING OF CLAIMS:

1.	(Currently amended)  A method for detecting execution of malicious cryptomining software in a target computing system, the method comprising:
monitoring target electromagnetic interference (EMI) signals generated during operation of the target computing system; 
	generating a target EMI fingerprint from the target EMI signals; and
comparing the target EMI fingerprint against a set of malicious EMI fingerprints for different pieces of malicious cryptomining software to determine whether the target computing system is executing malicious cryptomining software; 
wherein comparing the target EMI fingerprint against each malicious EMI fingerprint in the set of malicious EMI fingerprints involves:
computing a bivariate normalized cross power spectral density (NCPSD) between the target EMI fingerprint and the malicious EMI fingerprint; and
	when the computed bivariate NCPSD exceeds a predefined threshold, determining that a piece of malicious cryptomining software associated with the malicious EMI fingerprint is executing on the target computing system.

3.	(Canceled)
a Multivariate State Estimation Technique (MSET) 
using the trained MSET model to produce MSET estimates for the malicious EMI signals, wherein the MSET estimates are less noisy than the original malicious EMI signals; and
using the MSET estimates while generating the associated malicious fingerprint.

10.	(Currently amended)  A non-transitory, computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for detecting execution of malicious cryptomining software in a target computing system, the instructions 
instructions for obtaining target EMI signals generated during operation of the target computing system; 
	instructions for generating a target EMI fingerprint from the target EMI signals; and
instructions for comparing the target EMI fingerprint against a set of malicious EMI fingerprints for different pieces of malicious cryptomining software to determine whether the target computing system is executing malicious cryptomining software; 
wherein comparing the target EMI fingerprint against each malicious EMI fingerprint in the set of malicious EMI fingerprints involves:
computing a bivariate normalized cross power spectral density (NCPSD) between the target EMI fingerprint and the malicious EMI fingerprint; and
when the computed bivariate NCPSD exceeds a predefined threshold, determining that a piece of malicious cryptomining software associated with the malicious EMI fingerprint is executing on the target computing system.

11.	(Currently amended)  The non-transitory, computer-readable storage medium of claim 10, wherein generating the target EMI fingerprint from the EMI signals involves:
performing a Fast Fourier Transform (FFT) 
partitioning an output of the FFT operation into a set of frequency bins; 
	constructing an amplitude time-series signal for each frequency bin in the set of frequency bins; and
	generating the target EMI fingerprint by combining the amplitude time-series signals for all of the frequency bins in the set of frequency bins.


12.	(Canceled)
13.	(Currently amended)  The non-transitory, computer-readable storage medium of claim 10, wherein the instructions further comprise instructions for, prior to monitoring the EMI signals, 
executing the piece of malicious cryptomining software on a golden system while all other processes in the golden system are suspended; 

generating a malicious EMI fingerprint for the piece of malicious cryptomining software from the gathered EMI signals. 


14.	(Currently amended)  The non-transitory, computer-readable storage medium of claim 13, wherein the instructions further comprise instructions for, after gathering the malicious EMI signals for a given piece of malicious cryptomining software and prior to generating the associated malicious fingerprint: a Multivariate State Estimation Technique (MSET) 
using the trained MSET model to produce MSET estimates for the malicious EMI signals, wherein the MSET estimates are less noisy than the original malicious EMI signals; and
using the MSET estimates while generating the associated malicious fingerprint.

15.	(Currently amended) A system that detects execution of malicious cryptomining software in a target computing system, comprising:
at least one processor and at least one associated memory; and 
a detection mechanism that executes on the at least one processor, wherein the detection mechanism: 

generates a target EMI fingerprint from the target EMI signals, and
compares the target EMI fingerprint against a set of malicious EMI fingerprints for different pieces of malicious cryptomining software to determine whether the target computing system is executing malicious cryptomining software; 
wherein comparing the target EMI fingerprint against each malicious EMI fingerprint in the set of malicious EMI fingerprints involves:
computing a bivariate normalized cross power spectral density (NCPSD) between the target EMI fingerprint and the malicious EMI fingerprint; and
when the computed bivariate NCPSD exceeds a predefined threshold, determining that a piece of malicious cryptomining software associated with the malicious EMI fingerprint is executing on the target computing system.


16.	(Currently amended)  The system of claim 15, wherein while generating the target EMI fingerprint from the EMI signals, the detection mechanism:
performs a Fast Fourier Transform (FFT) 
partitions an output of the FFT operation into a set of frequency bins; 

	generates the target EMI fingerprint by combining the amplitude time-series signals for all of the frequency bins in the set of frequency bins.

17.	(Canceled)
19.	(Currently amended)  The system of claim 18, wherein after gathering the malicious EMI signals for a given piece of malicious cryptomining software and prior to generating the associated malicious fingerprint, the detection mechanism:	trains a Multivariate State Estimation Technique (MSET) 
uses the trained MSET model to produce MSET estimates for the malicious EMI signals, wherein the MSET estimates are less noisy than the original malicious EMI signals; and
uses the MSET estimates while generating the associated malicious fingerprint.
21.	(New)  The system of claim 20, wherein the insertable device comprises one of the following:
a universal serial bus (USB) dongle, which is insertable into a USB port in the target computing system;
a peripheral component interconnect (PCI) card, which is insertable into a PCI slot in the target computing system; and



22.	(New)  The non-transitory, computer-readable storage medium of claim 10, wherein the EMI signals are monitored using an insertable device, which is inserted into the target computing system to gather the EMI signals from the target computing system.


23.	(New)  The non-transitory, computer-readable storage medium of claim 22, wherein the insertable device comprises one of the following:
a universal serial bus (USB) dongle, which is insertable into a USB port in the target computing system;
a peripheral component interconnect (PCI) card, which is insertable into a PCI slot in the target computing system; and
a hard-disk drive (HDD) filler package, which is insertable into an HDD slot in the target computing system.  


Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 
	The prior art of record fails to teach or fairly suggest, in response to comparing a target EMI fingerprint with one of a plurality of malicious EMI fingerprints in a set of malicious EMI fingerprints, computing a bivariate normalized cross power spectral density (NCPSD) between the target EMI fingerprint and one of the malicious EMI fingerprints; and upon determining that the computed bivariate NCPSD exceeds a predefined threshold, determining that a piece of malicious crypto-mining software 
The closest related prior art are cited to state the general state of the art and are not considered to teach the distinguishing features noted above. The prior art includes:
(i) 	US Pat Vaidyanathan et al (US 8,762,080), which teaches matching stored normalized cross power spectral density (NCPSD) signatures of collected data for detecting missing computer components;
(ii) 	US PG Pub Dhanekula et al (US 2010/0332199), which discloses accessing the integrity of a monitored system using EMI fingerprints to analyze the monitored system integrity;
(iii) 	NPL document "Malicious Traffic Detection Using Traffic Fingerprint" – Shimoni et al, Arnon.dk, 01/2015; and
(iv) 	NPL document "DySign: Dynamic Fingerprinting for the Automatic Detection of Android Malware" – Karbab et al, Concordia University, 02/19/2017.
After thorough review of related prior art, the application has been deemed allowable because of the limitations describing, in response to comparing a target EMI fingerprint with one of a plurality of malicious EMI fingerprints in a set of malicious EMI fingerprints, computing a bivariate normalized cross power spectral density (NCPSD) between the target EMI fingerprint and one of the malicious EMI fingerprints; and upon determining that the computed bivariate NCPSD exceeds a predefined threshold, determining that a piece of malicious crypto-mining software associated with the malicious EMI fingerprint is executing on a target computing system, recited in the specific manner and combinations recited within the claims. Upon an extensive search .  
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RANDY A SCOTT/Primary Examiner, Art Unit 2439
20210309