DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is in response to applicant’s amendment filed on 01/07/2021.
Claims 1-4, 6-10, 13-18, 20-21 and 23-25 are pending and examined.
Claim 25 is a new claim.
Claims 5, 11-12, 19 and 22 have been cancelled.

Response to Arguments
Applicant’s arguments filed on 01/07/2021 have been considered but they are not persuasive.
Per claim 1, applicant argued (page 12) that “Mu does not indicate, with respect to the watchdog timer, that the filter controller (interpreted by the Office as the integrity manager) causes the filter (interpreted by the Office as the kernel-mode component) “to perform an action,” as amended claim 1 recites. For example, while the filter controller may call the filter and start the watchdog timer, Mu does not indicate that the call causes the filter to perform any action in response. Id. Accordingly, Mu does not teach or suggest an integrity manager that determines integrity of an associated kernel-mode component in part by “causing the kernel-mode component to perform an action,” as amended claim 1 recites”. The examiner respectfully disagrees. Mu (column 7, line 15-36) discloses the filter controller invokes a security filter, “The security filter includes a request handler that processes the request to determine if a security event has occurred... The security filter also includes response handlers to process the response. Both the request handlers and the response handlers in the security filter may provide a status to permit a return from the request or response callback, to permit to generally return status information to the filter controller”. Clearly, when a security filter is invoked by the filter controller, the security filter is to perform a set of actions including to return status information to the filter controller. Mu (column 24, line 15-24) also discloses the filter controller utilizes a watchdog timer to check the response from the security filter, to determine if it is inactive; if the security is inactive, it is skipped from another calling. Therefore, the examiner believes Mu discloses the claim limitation in claim 1.
Applicant also argued with respect to Cohen reference, applicant’s arguments are moot in light of a new reference (Kostadinov) that replaced Cohen.
The examiner is available for a phone interview with applicant.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 8, 10, 15, 17-18, 21 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Mu (US patent 7908656), in view of Kostadinov et al. (US PGPUB 2005/0268136).

Per claim 1, Mu discloses “a computing device comprising: a processor; and a memory storing: a kernel-mode component of a security agent, the kernel mode component being configured to be operated by the processor to perform at least one of monitoring, analysis, reporting, or remediation;” (Fig. 2; a computer with a processor and memory; claim 1-5; column 3, line 24-37; a security filter for a data storage system, to monitor and analyze intruder response of the data storage system, to protect an integrity manager associated with the kernel-mode component, the integrity manager being configured to be operated by the processor to determine integrity of the kernel-mode component by: causing the kernel-mode component to perform an action, wherein the action is associated with a known reaction; determine that the known reaction did not occur in response to the  action of the kernel-mode component; and in response to determining that the known reaction did not occur, performing” an action (column 24, line 15-25; column 6, line 50-65; column 7, line 15-36; the filter controller is associated with a watchdog mechanism, a security filter is invoked by the filter controller, the security filter is to perform a set of actions including to return status information to the filter controller; when the filter controller calls a filter, the watchdog mechanism starts a timer, if the called filter does not properly respond within a predefined time interval, the filter is considered unresponsive and will be skipped in future; i.e. the watchdog mechanism checks the integrity of the security filter, if the calling (action) did not result in a known reaction (response) in the time interval, a skipping action is performed).
While Mu discloses in response to determining that the known reaction did not occur, performing an action, Mu does not explicitly teach in response to determining that the known reaction did not occur, performing at least one of a remediation action or notifying a remote security service associated with the kernel mode component. Kostadinov suggests the above (paragraphs [0015][0017][0018][0023][0027[0030]; a timeout management system including an integrity watcher in a distributed system, when an application or a service does not perform a function within a defined time, the application or the service can register a timeout event (a notification) to the timeout management system (remote security service), the timeout management can reschedule the timeout event (remediation action), or track the timeout event; the timeout integrity watcher works in conjunction with timeout manager can ensure that the timeout events occur after their intended time delays). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing 

Per claim 3, Mu further suggests “wherein the action includes generating an event and the known reaction includes the event being generated and processed” (column 24, line 15-25; column 6, line 50-65; column 7, line 15-36; the filter controller is associated with a watchdog mechanism, a security filter is invoked by the filter controller, the security filter is to perform a set of actions including to return status information (generating an event) to the filter controller (which receives and processes the status information)). 

Per claim 4, Kostadinov further suggests “wherein the integrity manager is configured to perform a first remediation action or send a first notification to the remote security service in response to determining that the event was generated but not processed; perform a second remediation action or send a second notification to the remote security service in response to determining that the event was not generated” (paragraphs [0015][0017][0018][0023][0027[0030]; a timeout management system including an integrity watcher in a distributed system, when an application or a service does not perform a function within a defined time, the application or the service can register a timeout event (a notification) to the timeout management system (remote security service), the timeout management can reschedule the timeout event (remediation action), or track the timeout event; the timeout integrity watcher works in conjunction with timeout manager can ensure that the timeout events occur after their intended time delays; it would have been obvious that different timeout events would be generated from different services and applications; i.e. if the security filter 

Claims 8, 10 are rejected under similar rationales as claims 1, 3.
Claims 15, 17-18 are rejected under similar rationales as claims 1, 3-4.

Per claim 21, Mu further suggests “wherein the integrity manager is further configured to determine the integrity of the kernel-mode component by: detecting an occurrence of a system action on the computing device, wherein the system action is associated with a second known reaction; determining that the second known reaction did not occur in response to the occurrence of the system action; and in response to determining that the second known reaction did not occur, performing” an action (column 24, line 15-25; column 6, line 50-65; the filter controller is associated with a watchdog mechanism, a filter can be invoked from a system call (system action), the watchdog mechanism starts a timer, if the filter called by the system does not properly respond (reaction) within a predefined time interval, the filter is considered unresponsive and will be skipped in future); Kostadinov further suggests “in response to determining that the second known reaction did not occur, performing at least one of the remediation action or the notifying the remote security service” (paragraphs [0015][0017][0018][0023][0027[0030]; a timeout management system including an integrity watcher in a distributed system, when different services do not perform a function within a defined time, each service can register a timeout event (a notification) to the timeout management system (remote security service), the timeout management can reschedule the timeout event 

Per claim 25, Mu further suggests “wherein the event is associated with the kernel mode component writing a registry key” (column 26, line 40-60; a security filter is invoked by the filter controller, the security filter is to perform a set of actions including registration by the security filter with filter framework, exemplary requests for which security filter registers includes file open, file create, file lookup, file read, get attributes, directory read and directory write (i.e. writing to a registry)). 

Claims 2, 6, 9, 13, 16 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mu and Kostadinov, in view of Nicolson et al. (US PGPUB 2004/0153724) hereinafter Nicolson.

Per claim 2, Mu discloses a kernel level integrity manager (claims 1-5; security filter and filter controller) but does not explicitly disclose “wherein the integrity manager is further configured to determine that the kernel-mode component is inactive and perform the determining of the integrity of the kernel-mode component responsive to determining that the kernel-mode component is inactive”. However, Nicolson suggests the above (Nicolson: paragraph [0044]-[0046][0048]; when a driver component is inactive, the timer will reach zero, the system will reset, a reset will causes validation of disks and partitions). Kostadinov further discloses It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mu, Kostadinov and Nicolson to monitor the status of kernel level component, to reset and validate the system if the component is inactive, in order to maintain the normal operation of the computer system.

wherein the remediation action includes generating a new worker thread, flushing an event queue, registering a new operating system hook, or performing a reset of the kernel-mode component”. However, Nicolson suggests the above (paragraph [0044]-[0046]; when a driver component is inactive, the timer will reach zero, the system will reset). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mu, Kostadinov and Nicolson to monitor the status of kernel level component, to reset and validate the system if the component is inactive, in order to maintain the normal operation of the computer system.

Claims 9 and 13 are rejected under similar rationales as claims 2, 6.
Claim 16 and 24 are rejected under similar rationales as claim 2, 6.

Claims 7, 14, 20 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Mu and Kostadinov, in view of Rodeheffer et al. (US PGPUB 2008/0162589) hereinafter Rodeheffer.

Per claim 7, Mu does not explicitly disclose “the integrity manager is further configured to determine that an integrity of a data store associated with the kernel-mode component has been compromised; and in response to determining that the integrity of the data store has been compromised, perform at least one of: deleting from the data store, or saving a saved state of the data store, creating a new data store, and initializing a new data store based on the saved state.”. However, Rodeheffer suggests the above (paragraph [0022]; after data on a data storage is determined as compromised, the data is removed for security purpose). Mu discloses a kernel level integrity manager (claims 1-5; security filter and filter controller). Thus, it would have been obvious to one of ordinary skill in the art 

Claims 14 and 20 are rejected under similar rationales as claim 7.

Per claim 23, Mu in combination with Rodeheffer suggests “wherein the data store is a situational model that tracks at least one of attributes, patterns, or behaviors associated with applications or processes executing on the computing device” (Rodeheffer paragraph [0022] discloses a data store; Mu (Fig. 10) discloses an event log storage, which tracks behaviors (events) of processes executing on the computing device).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HANG PAN/Primary Examiner, Art Unit 2193