Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with James J. Barta, Jr., Reg. No. 47,409 on March 12, 2021.
The application has been amended as follows:
In the claims:

1. (Cancelled).

2. (Currently Amended) A computer-implemented cybersecurity method comprising:
generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on data representing dynamic features of the process, the process fingerprint comprising a time-ordered sequence of the dynamic features of the process wherein the data comprises a pathname of a file that initiated the process, a network address of a device accessed by the process, and an indication that the file was modified by the process; 
comparing the process fingerprint to a plurality of process fingerprints; 	
based, at least in part on a result of the comparison, determining that the process fingerprint matches at least one process fingerprint included in the plurality of process fingerprints; and 


3. (Currently Amended) The method of claim 2, wherein generating the process fingerprint comprises 

4. (Currently Amended) The method of claim 2, wherein the process is determined to be a malware upon the at least one process fingerprint that matched the process fingerprint of the process is determined to be a fingerprint of a malware process. 

5. (Previously Presented) The method of claim 2, wherein the data representing dynamic features of the process comprises data characterizing file operations associated with the process.



7. (Previously Presented) The method of claim 2, wherein the data representing dynamic features of the process comprises data characterizing network activity associated with the process.

8. (Previously Presented) The method of claim 2, wherein the data representing dynamic features of the process comprises data characterizing inter-process operations performed by the process.

9. (Cancelled).

10. (Previously Presented) The method of claim 3, wherein the hashing operation is a rolling cryptographic hash operation.

11. (Previously Presented) The method of claim 3, wherein the hashing operation is a deterministic, sequence-invariant cryptographic hash operation.

12. (Original) The method of claim 2, wherein generating the process fingerprint comprises generating a first process fingerprint and a second process fingerprint.

13. (Cancelled). 

14. (Previously Presented) The method of claim 2, wherein the data representing dynamic features of the process is selected from a group consisting of data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and data characterizing inter-process operations performed by the process.

15. (Cancelled).

16. (Cancelled).

17. (Cancelled).

18. (Previously Presented) The method of claim 2, wherein the data representing dynamic features of the process includes timing data associated with the process.

19. (Cancelled).



21. (Previously Presented) The method of claim 2, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more whitelisted processes, and wherein determining whether the process is a malware process comprises determining that the process is not a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more whitelisted processes.

22. (Currently Amended) A cybersecurity system, comprising:
a data processing apparatus programmed to perform operations comprising: 
generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on data representing dynamic features of the process, the process fingerprint comprising a time-ordered sequence of the dynamic features of the process, wherein the data comprises a pathname of a file that initiated the process, a network address of a device accessed by the process, and an indication that the file was modified by the process; 

	based, at least in part on a result of the comparison, indicating that the process fingerprint matches at least one process fingerprint included in the plurality of process fingerprints; and 	
based on the indicating that the process fingerprint matches the at least one 	process fingerprint included in the plurality of process fingerprints, determining whether the process is a malware process.

23. (Currently Amended) The system of claim 22, wherein generating the process fingerprint comprises 

24. (Previously Presented) The system of claim 23, wherein the hashing operation is a rolling cryptographic hash operation.

25. (Previously Presented) The system of claim 23, wherein the hashing operation is a deterministic, sequence-invariant cryptographic hash operation.



27. (Previously Presented) The system of claim 26, wherein generating the first process fingerprint comprises performing a hashing operation on data representing first dynamic features of the process, the first dynamic features being dynamic features of a first type, and wherein generating the second process fingerprint comprises performing a hashing operation on data representing second dynamic features of the process, the second dynamic features being dynamic features of a second type different from the first type.

28. (Previously Presented) The system of claim 22, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more blacklisted processes, and determining whether the process is a malware process comprises determining that the process is a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more blacklisted processes.

29. (Currently Amended) The system of claim [[28]]22, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more whitelisted processes, and wherein determining whether the process is a malware process comprises determining that the process is not a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more whitelisted processes.

30. (Cancelled).

31. (Currently Amended) A computer storage medium having instructions stored thereon that, when executed by a data processing apparatus, cause the data processing apparatus to perform operations comprising:
	generating a process fingerprint of a process, wherein the process fingerprint identifies the process based, at least in part, on data representing dynamic features of the process, the process fingerprint comprising a time-ordered sequence of the dynamic features of the process, wherein the data comprises a pathname of a file that initiated the process, a network address of a device accessed by the process, and an indication that the file was modified by the process;
	comparing the process fingerprint to a plurality of process fingerprints; 
	based, at least in part on a result of the comparison, determining that the process fingerprint matches at least one process fingerprint included in the plurality of process fingerprints; and
	based on the determining that the process fingerprint matches the at least one process fingerprint included in the plurality of process fingerprints, determining whether the process is a malware process.

32. (Currently Amended) The computer storage medium of claim 31, wherein generating the process fingerprint comprises 

33. (Previously Presented) The computer storage medium of claim 31, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more blacklisted processes, and wherein determining whether the process is a malware process comprises determining that the process is a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more blacklisted processes.

34. (Previously Presented) The computer storage medium of claim 31, wherein the plurality of process fingerprints includes one or more process fingerprints of one or more whitelisted processes, and wherein determining whether the process is a malware process comprises determining that the process is not a malware process based on the process fingerprint matching a fingerprint included in the one or more process fingerprints of the one or more whitelisted processes.



36. (Cancelled).

37. (Previously Presented) The computer storage medium of claim 31, wherein the data representing dynamic features of the process is selected from a group consisting of data characterizing modules loaded by the process, data characterizing file operations associated with the process, data characterizing registry operations performed by the process, data characterizing network activity associated with the process, and data characterizing inter-process operations performed by the process.

38. (New) The computer storage medium of claim 31, wherein the process is determined to be a malware upon the at least one process fingerprint that matched the process fingerprint of the process is determined to be a fingerprint of a malware process.

39. (New) The computer storage medium of claim 31, wherein the data representing dynamic features of the process comprises data characterizing file operations associated with the process.


Conclusion

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


BEEMNET W. DADA
Primary Examiner
Art Unit 2435