DETAILED ACTION

Currently pending claims are 1 – 14 and 16 – 24.

Response to Arguments
Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive.
As per claim 1, Applicant asserts Telesco does not teach providing a malware detection state machine because Telsco’s state machine is merely tagging the data as red / yellow / green and fails to teach the recited claim elements such as “each one of the plurality of states is further configured to respond to the occurrence of the one of the sequence of events by transitioning to a next sequential one of the plurality of states where the event handler monitors for a next sequential one of the sequence of events associated with the malware and to respond to an exit condition by returning to the initial state, wherein the exit condition for at least one of the states includes a time-based exit condition that resets the state machine after a predetermined amount of time, and further wherein the event handler is configured to respond to a terminal event in the sequence of events during the terminal state by identifying the malware on the endpoint” (Remarks: Page 11 / 1st Para).  Examiner respectfully disagrees with the following rationale.
Examiner notes according to MPEP 2111 of the broadest and reasonable claim interpretations, applicant’s argument has no merit because any state machine of a computer system is, essentially, event driven – however, the alleged limitation such as “what is the exact context of each particular event associated with each of the the plurality of states (as recited) to make the state machine transition to what kind of next sequential state” has not been specifically recited into the claim.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
In light of that, Examiner notes Telesco provides a state machine version of a simple event handler (Telesco: Col. 20 Line 21 – 26) to detect an unauthorized access to a computing system (i.e. endpoint) when it is triggered (invoked) by a new received message (i.e. event data) from a malicious entity to filter and analyze an unauthorized access and to generate a security alarm as necessay (Telesco: Col. 20 Line 33 – 37, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67) – As such, Telesco’s state machine is qualified as a malware detection state machine; and besides,
(a) Telesco teaches designating a first event as an initial event to invoke (trigger) the use of a particular device configuration (when rebooting the system) to dynamically adapt to varying levels of security threats (e.g. unauthorized access to different type of data) (Telesco: Col. 12 Line 35 – 43), wherein the device configurations are depending on the current or expected security threat level for the computing system (w.r.t. unauthorized access to different type of data) (Telesco: Col. 12 Line 37 – 39) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 5 – 8: a first (initial) event is triggered for detecting a particular malware instance); and 
Telesco also teaches using a second event as a terminal event (e.g. an unauthorized event) such as receiving a new message for unauthorized access to trigger the state machine to filter and analyze unauthorized events (Telesco: FIG. 17 / E-72 & Col. 20 Line 33 – 37 and Col. 11 Line 63 – 67) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 3 – 4: a second event is a terminal event); and
Furthermore, Telesco also teaches providing a time-base event as one type of exit contions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of controller and resource management (e.g. a process insufficency to freeze the control and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state so as to continue monitoring the incoming system events (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34).  As such Applicant's arguments are respectfully traversed.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 4, 23 and 24 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention because the claim language “real-time” is considered to be unclear regarding what exactly constitutes the timing limitation / threshold in terms of interval that to be qualified as “real-timet” in order to particularly distinct the invention subject matter over the modern high-speed computing technology and thereby rendering the scope of the claim(s) unascertainable.  See MPEP § 2173.05(d).  Any other claims not addressed are rejected by virtue of their dependency.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1 – 11, 15 – 20 and 22 – 24 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Telesco et al. (U.S. Patent 7,249,381). 

As per claim 1, 4, 23 and 24, Telesco teaches a computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

identifying a sequence of events associated with malware on an endpoint (Telesco: Figure 15 / E-66, E-19(a) & Figure 17, Col. 20 Line 21 – 44, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67, Col. 18 Line 60 – Col. 19 Line 48 and Col. 2 Line 41 – 48: 
(a) providing a state machine version of a simple event handler (Telesco: Col. 20 Line 21 – 26) to (b) detect an unauthorized access to a computing system (i.e. endpoint) when it is triggered (invoked) by a new received message (i.e. event data) from a malicious entity to filter and analyze an unauthorized access and to generate a security alarm as necessay (Telesco: Col. 20 Line 33 – 37, Col. 12 Line 31 – 33 and Col. 11 Line 63 – 67) – i.e. (c) monitoring (tracing) and analyzing a sequence of events associated with (anomaly) malicius activities (malware attacks) on a target terminal (endpoint) device));
configuring an event handler for use with the endpoint as a state machine comprising a plurality of states arranged sequentially from an initial state to a terminal state, each one of the plurality of states corresponding to a monitoring state for one of the sequence of events associated with the malware, and each one of the plurality of states configured to monitor for an occurrence of the one of the sequence of events (Telesco: see above & Col. 12 Line 35 – 43, Col. 20 Line 21 – 44 and Col. 18 Line 60 – Col. 19 Line 48: 
designating a first event as an initial event to invoke (trigger) the use of a particular device configuration (when rebooting the system) to dynamically adapt to varying levels of security threats (e.g. unauthorized access to different type of data) (Telesco: Col. 12 Line 35 – 43), wherein the device configurations are depending on the current or expected security threat level for the computing system (w.r.t. unauthorized access to different type of data) (Telesco: Col. 12 Line 37 – 39) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 5 – 8: a first (initial) event is triggered for detecting a particular malware instance); and 
using a second event as a terminal event (e.g. an unauthorized event) such as receiving a new message for unauthorized access to trigger the state machine to filter and analyze unauthorized events (Telesco: FIG. 17 / E-72 & Col. 20 Line 33 – 37 and Col. 11 Line 63 – 67) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 3 – 4: a second event is a terminal event);
wherein each one of the plurality of states is further configured to respond to the occurrence of the one of the sequence of events by transitioning to a next sequential one of the plurality of states where the event handler monitors for a next sequential one of the sequence of events associated with the malware and to respond to an exit condition by returning to the initial state, wherein the exit condition for at least one of the states includes a time-based exit condition that resets the state machine after a predetermined amount of time (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34: Telesco teaches providing a time-base event as one type of exit contions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of controller and resource management (e.g. a process insufficency to freeze the control and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state so as to continue monitoring the incoming system events (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34)), and further wherein
the event handler is configured to respond to a terminal event in the sequence of events during the terminal state by identifying the malware on the endpoint (Telesco: see above); 
        deploying the event handler as an event-based state machine for use by a local security agent executing on the endpoint in realtime detection of the malware (Telesco: see above & Col. 20 Line 30 – 37); 
        monitoring events on the endpoint with the event handler (Telesco: see above); 
        detecting the malware on the endpoint based upon an occurrence of the the terminal event during the terminal states (Telesco: see above); and 
        remediating the malware on the endpoint (Telesco: see above & Figure 20 / E-6 and Col. 20 Line 40 – 44: sending an alert message (security alarm) to the system and users).  

As per claim 2 – 3, Telesco teaches wherein the one or more computing devices includes the endpoint (Telesco: see above & Col. 2 Line 41 – 48: using a finite state machine automata to monitor and trace a sequence of events associated with (anomaly) malware on a target terminal (endpoint) device in a local or remote networking environment).  

As per claim 5, Telesco teaches monitoring events on the endpoint with the event handler (Telesco: see above and Col. 17 Line 66 – 67).  

As per claim 6, Telesco teaches wherein the second one of the sequence of events is the terminal event (Telesco: see above).  

As per claim(s) 7 – 8, 11 and 22, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.   

As per claim 9, Telesco teaches wherein at least one of the sequence of events includes a multi-parameter event (Telesco: see above and Col. 20 Line 30 – 44: receiving a new message that may include a protocol type, source, destination, IP / MAC addresses, payload data and etc. in a local or remote networking environment).  

As per claim 10, Telesco teaches wherein the first one of the sequence of events is an initial one of the sequence of events (Telesco: see above and Figure 17 / E-69 & E-70 and Col. 12 Line 35 – 43: designating a first event as an initial event to invoke (trigger) the use of a particular device configuration (when rebooting the system) to dynamically adapt to varying levels of security threats (e.g. unauthorized access to different type of data) (Telesco: Col. 12 Line 35 – 43), wherein the device configurations are depending on the current or expected security threat level for the computing system (w.r.t. unauthorized access to different type of data) (Telesco: Col. 12 Line 37 – 39) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0180] Line 5 – 8: a first (initial) event is triggered for detecting a particular malware instance).  

As per claim 16, Telesco teaches wherein the exit condition includes a time limit for detection of the malware (Telesco: see above and Col. 18 Line 44 – 48: a TIMEOUT event).  

As per claim 17, Telesco teaches wherein the event handler includes a plurality of exit conditions that return the event handler to the first state (Telesco: see above: (a) Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34: Telesco teaches providing a time-base event as one type of exit contions w.r.t. the state machine such as a watchdog time-out event for monitoring the operation, especially, of the health of controller and resource management (e.g. a process insufficency to freeze the control and resource management) that would initiate a system re-boot and re-configure all system devices for returning the system back to the initial state so as to continue monitoring the incoming system events (Telesco: see above & FIG. 17 / E-68 & Col. 20 Line 27 – 28 and Col. 2 Line 30 – 34) and (b) returning back to an INIT / IDLE state designated as a new started instance waiting for a new incoming security event is a cyclic nature of an usage of a state machine so as to continue monitoring the incoming system events).  

As per claim 18, Telesco teaches wherein the sequence of events includes at least one event from a computing object selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device (Telesco: see above & Col. 20 Line 30 – 44: receiving a new message that may include a protocol type, source, destination, IP / MAC addresses, payload data and etc. in a local or remote networking environment).  

As per claim 19, Telesco teaches wherein the sequence of events includes at least one event from a network address selected from a group consisting of a uniform resource locator (URL), an internet protocol (IP) address, and a domain name (Telesco: see above & Col. 12 Line 15 – 20 and Col. 2 Line 41 – 48: at least validating the network source address and checking unauthorized data access).  

As per claim 20, Telesco teaches wherein the sequence of events includes at least one event from a peripheral device selected from a group including at least one of a universal serial bus (USB) memory, a network interface card, a camera, a printer, a mouse and a keyboard (Telesco: see above & Col. 12 Line 15 – 20 and Col. 2 Line 41 – 48: (e.g.) a network interface card). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 13 (& 12), 14 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Telesco et al. (U.S. Patent 7,249,381), in view of Brenzinski et al. (U.S. Patent 9,225,730).  

As per claim 13, Brenzinski (& Telesco) teaches identifying the sequence of events includes traversing an event graph among a sequence of causal events in reverse chronological order to a root cause of the malware (Brenzinski: Co. 4 Line 52 – 67 and Col. 11 Line 57 – 64: (a) a sequence of state graph can be traversed to identify anomalous activity included in the state gragh starting from a start vertex and the graph can be traversed either by a depth-first or a breadth-first manner and (b) the traversed can be performed based on a time-stamp attribute such that the traversal is in accordance with a desired timly chronological order).  
            It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Brenzinski within the system of Telesco because (a) Telesco teaches providing a malware (e.g. network intrusion) management system that designates a sequence of events (w.r.t. a target device) which includes malicius activities monitored and analyzed by a sequence of states / events (see above), and (b) Brenzinski teaches effectively providing a sequence of state graph which can be traversed to identify anomalous activity included in the state gragh starting from a start vertex (a root acuse) and the graph can be traversed either by a depth-first or a breadth-first manner for analysis (see above). 

As per claim 12, Brenzinski (& Telesco) teaches providing a scripting language for configuring the event handler (Brenzinski: Col. 8 Line 1 – 4: using a Java-script). See the same rationale of combination applied herein as above in rejecting the claim 13.

As per claim 14, Brenzinski (& Telesco) teaches providing the event handler includes creating the sequence of events based on a forward traversal of the event graph (Brenzinski: see above & Col. 11 Line 57 – 60: forward traversing the state graph). 

As per claim 21, Brenzinski (& Telesco) teaches wherein the sequence of events includes at least one file operation selected from a group consisting of a read, a write, an open, a move, a copy and a delete (Brenzinski: Col. 3 Line 15 – 16: (e.g.) accessing (reading) a password file). See the same rationale of combination applied herein as above in rejecting the claim 13.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2209 – 2021
---------------------------------------------------