Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments and Amendments
	The amendments and arguments have been fully considered.
	Full support for the amendments was found in the specification.
	Applicant has argued in substance that:
The Examiner notes that Dubrovsky does not disclose an analysis that identifies suspicious behavior associated with memory accesses on page 4 of the Office Action.
Shukla does not disclose 'performing an analysis on the memory access contextual information .
. . the analysis identifying a suspicious behavior associated with the memory accesses and a condition associated with the suspicious behavior, identifying a set of exception handling program code to execute based on the identified condition, and initiating operation of the first set of exception handling program code based on the condition being associated with the suspicious activity' as the Applicant presently claims. This is because Shukla is completely silent on: exception handling program code that is executed based on suspicious behavior associated with a memory access and a condition associated with the suspicious behavior as the Applicant presently claims.
	After a full review of the prior art United States Patent Application Publication No. US 2008/0016339 A1 (Shukla) is viewed as having further teachings that reflect the argued/new limitations. In particular (Shukla, Paragraphs [0062] and [0068]-[0070]) show application of behavioral analysis. Additionally (Shukla, Paragraphs [0079] and [0080]) teaches two specific methods for behavior analysis. The grounds of rejection have been updated to reflect these teachings.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 8,276,202 B1 (Dubrovsky et al.) in view of United States Patent Application Publication No.: US 2008/0016339 A1 (Shukla).

As Per Claim 1: Dubrovsky et al. teaches:  A method for performing analysis in a Cloud computing environment, the method comprising: 

- receiving information from a computing device via a computer network interface;
	(Dubrovsky et al., Column 4 Lines 1-8, “In some embodiments, the client machine 120 sends a request 121 for a file to the gateway device 110. For instance, a user of the client machine 120 may have clicked on a hyperlink in a webpage to request certain content, such as another webpage, a document, a song, a video, a picture, an executable of a software application, etc. The gateway device 110 forwards the request 111 for the file to the second network 105.”).

- accessing computer data associated with the information received from the computing device;
	(Dubrovsky et al., Column 4 Lines 10-23, “Using the path 131 of the file, the datacenter 130 looks up the content rating of the file from its computer-readable storage medium. If the datacenter 130 successfully finds the content rating of the file, then the datacenter 130 sends the content rating 133 to 
 
- sending a message to the computing device, based on the suspicious behavior identification, wherein a remaining portion of the computer data accessed is blocked from being sent to a second computing device based on the message being received by the computing device. 
	(Dubrovsky et al., Column 5 Lines 6-18, “If the result 137 from the datacenter 130 indicates that there is a match, then the gateway device 110 determines that the file is likely to contain malware and thus, blocks the file from the client machine 120. For instance, the gateway device 110 may simply discard the data packets not yet forwarded to the client machine 120, instead of continuing to forward the data packets to the client machine 120. The gateway device 110 may also send a message or a warning to the client machine 120 to inform the client machine 120 of the decision. Otherwise, if there is no match, then the file is not likely to contain malware, and thus, the gateway device 110 continues to forward data packets of the file to the client machine 120 until all data packets of the file have been forwarded.”).

Dubrovsky et al. does not explicitly teach the following limitations however Shukla in analogous art does teach the following limitations:
- the accessed computer data including program code instructions executable by a processor;
- injecting instructions associated with instrumentation code into the accessed computer data, wherein operation of the instrumentation code is transparent to the program code instructions and the operation of the instrumentation code identifies contextual information relating to memory accesses performed by execution of the program code instructions;
- performing an analysis on the memory access contextual information when the instructions associated with the instrumentation code are executed, the analysis identifying a suspicious behavior associated with the memory accesses and;
	(Shukla, Paragraph [0036], “FIG. 4 shows the injected module 36 that could be a dll, a driver, or a direct write into the memory space of that application or a module inside the application or a driver. This module serves the dual purpose of malware detection and enforcement of the sandbox rules 16 for the application of module. In addition, it can create a sandbox for the entire application or individual modules 29, 32 within the application 26.”). 
	(Shukla, Figure 4, “

    PNG
    media_image1.png
    942
    519
    media_image1.png
    Greyscale
”). 

	(Shukla, Paragraph [0082], “A module is injected into each application that uses API function calls to obtain the list of running processes, registry entries, network connections, and file names. Same information is obtained independently by making kernel API function calls that bypasses all applications. If the kernel API used by us is not hooked by any other module, it is deemed more reliable. If there is any attempt to hide information from applications, it will show up as a discrepancy between the information gathered by the applications versus the one obtained via native API calls.”). 
	(Shukla, Paragraph [0083], “A module is injected into each application that uses API function calls to obtain the list of running processes, registry entries, network connections, and file names. Same information is obtained independently by making kernel API function calls that bypasses all applications. If the kernel API used by us is not hooked by any other module, it is deemed more reliable. If there is any attempt to hide information from applications, it will show up as a discrepancy between the information gathered by the applications versus the one obtained via native API calls.”). 

- (identifying) a condition associated with the suspicious behavior
- identifying a first set of exception handling program code to execute based on the identified suspicious behavior;
- initiating operation of the first set of exception handling program code based on the condition being associated with the suspicious behavior.
	(Shukla, Paragraph [0062], “Next, a search is conducted for "behavior signatures" during the scan that can either reveal malicious intent or hint at potentially malicious nature. The behavior signatures are collection or sequence of API function calls. The API function calls are detected by searching for the function name and by address. In that case the application or application component is flagged and combined with other runtime behavior to classify it as malicious or harmless. The runtime behavior could be a network access, file creation/deletion, registry modification etc. The "behavior signatures" can be custom tailored to specific type of malware such as keyloggers, rootkits, worms etc.”). 
	(Shukla, Paragraph [0068], “If the hooked module is a known good module, it is ignored. If it is know malicious module, then it should have been flagged during the scanning of the application memory space. The information about which functions the module is hooked into is added to the information regarding the attributes of the malicious module. In the case of unknown module, the module is flagged its information passed to sandbox to monitor its runtime behavior for further analysis. An example of malicious runtime behavior is hiding any information related to a process, file, registry entry, application configuration, or network access.”). 
	(Shukla, Paragraph [0069], “Next step is to determine if the hooked modules are trying to hide or modify any system resource or information in a malicious way. The resource could be a file, process, network connection, or a registry entry. This is achieved by checking application access to computer and network resources via application and then via kernel layer functions that bypass the application, and finding any discrepancies between the two observations. If a malware inside the application is trying to add, hide, or modify information about files, processes, network connections etc. for an application, its effect will be immediately visible as a discrepancy in the information extracted from kernel layer and from the application layer.”). 
	(Shukla, Paragraph [0070], “Based on the observed effect, the offending module is tracked by tracing the hooks to the loaded modules. Once the offending module is discovered, its identity and the status of the application are displayed in the graphical user interface (GUI).”). 
	Additionally (Shukla, Paragraphs [0079] and [0080]) teaches two specific methods for behavior analysis.
	It would have be obvious to one of ordinary skill in the art prior to filing of the application to incorporate the teachings of Shukla into the method of Dubrovsky et al. as Shukla provides a detailed significant enhancement to the analyses abilities and options for securing a computing environment found in Dubrovsky et al to protect against network attacks conversely Dubrovsky et al. provides a more robust understanding of potential environments and response mechanisms to a detected malicious code.

As Per Claim 2: The rejection of claim 1 is incorporated and further Dubrovsky et al. teaches:  
- the information received from the computing device is associated with a web page. 
	(Dubrovsky et al., Column 4 Lines 1-10, “In some embodiments, the client machine 120 sends a request 121 for a file to the gateway device 110. For instance, a user of the client machine 120 may have clicked on a hyperlink in a webpage to request certain content, such as another webpage, a document, a song, a video, a picture, an executable of a software application, etc. The gateway device 110 forwards the request 111 for the file to the second network 105. Substantial simultaneously, the gateway device 110 may also forward the path 131 of the file (e.g., the URL of the file) to the datacenter 130.”).

As Per Claim 3: The rejection of claim 2 is incorporated and further Dubrovsky et al. teaches:  
- the information received from the computing device is a universal resource locator that identifies the web page. 


As Per Claim 4: The rejection of claim 1 is incorporated and further Dubrovsky et al. teaches:  
- the information received from the computing device is associated with a computer file. 
	(Dubrovsky et al., Column 4 Lines 1-10, “In some embodiments, the client machine 120 sends a request 121 for a file to the gateway device 110. For instance, a user of the client machine 120 may have clicked on a hyperlink in a webpage to request certain content, such as another webpage, a document, a song, a video, a picture, an executable of a software application, etc. The gateway device 110 forwards the request 111 for the file to the second network 105. Substantial simultaneously, the gateway device 110 may also forward the path 131 of the file (e.g., the URL of the file) to the datacenter 130.”).

As Per Claim 5: The rejection of claim 1 is incorporated and further Dubrovsky et al. teaches:  
- a request to receive the accessed computer data was received by the computing device from the second computing device before the information was received from the computing device,
- the computing device also accesses the accessed computer data, and
	(Dubrovsky et al., Column 4 Lines 1-23, “In some embodiments, the client machine 120 sends a request 121 for a file to the gateway device 110. For instance, a user of the client machine 120 may have clicked on a hyperlink in a webpage to request certain content, such as another webpage, a document, a song, a video, a picture, an executable of a software application, etc. The gateway device 110 forwards 

- the computing device provides at least a portion of the accessed computer data to the second computing device without sending the remaining portion of the requested computer data to the second computing device. 
	(Dubrovsky et al., Column 2 Lines 15-32, “The datacenter may have stored a set of signatures of previously identified malware. Furthermore, these signatures may be updated every now and then to ensure newly found malware is covered. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. Then the gateway device determines whether to block the file from the client machine based on the result of the signature matching from the datacenter. In some embodiments, a match indicates that the incoming file is likely to contain malware, whereas no match indicates that the incoming file is not likely to contain malware. If the gateway device determines to block the file, the gateway device may simply stop forwarding the data packets not yet forwarded to the client device and discard these data packets. The gateway device may further send a message or a warning to the client machine to notify the client machine of its finding.”).

As Per Claim 6: The rejection of claim 5 is incorporated and further Dubrovsky et al. teaches:  
- retrieving information associated with the requested computer data, wherein the retrieved information includes at least one of a content rating or a signature associated with a known set of malware. 
	(Dubrovsky et al., Column 4 Lines 10-23, “Using the path 131 of the file, the datacenter 130 looks up the content rating of the file from its computer-readable storage medium. If the datacenter 130 successfully finds the content rating of the file, then the datacenter 130 sends the content rating 133 to the gateway device 110. Based on the content rating 133, the gateway device 110 may decide whether to block the file from the client machine 110. For example, if the content rating 133 indicates that the file is in a prohibited category (e.g., pornographic, violent, etc.) according to a predetermined policy of the first network 103, then the gateway device 110 may block the file. For example, the gateway device 110 may simply discard data packets of the file instead of forwarding the data packets to the client machine 120.”).

As Per Claim 7: The rejection of claim 1 is incorporated and further Dubrovsky et al. teaches:  
- a computer in the cloud computing environment performs the analysis on 
	(Dubrovsky et al., Abstract, “Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.”).

Dubrovsky et al. does not explicitly teach the following limitations however Shukla in analogous art does teach the following limitations:
- the memory access contextual information.
	(Shukla, Paragraph [0082], “A module is injected into each application that uses API function calls to obtain the list of running processes, registry entries, network connections, and file names. Same information is obtained independently by making kernel API function calls that bypasses all applications. If the kernel API used by us is not hooked by any other module, it is deemed more reliable. If there is any attempt to hide information from applications, it will show up as a discrepancy between the information gathered by the applications versus the one obtained via native API calls.”). 
	(Shukla, Paragraph [0083], “A module is injected into each application that uses API function calls to obtain the list of running processes, registry entries, network connections, and file names. Same information is obtained independently by making kernel API function calls that bypasses all applications. If the kernel API used by us is not hooked by any other module, it is deemed more reliable. If there is any attempt to hide information from applications, it will show up as a discrepancy between the information gathered by the applications versus the one obtained via native API calls.”). 
	It would have be obvious to one of ordinary skill in the art prior to filing of the application to incorporate the teachings of Shukla into the method of Dubrovsky et al. as Shukla provides a detailed significant enhancement to the analyses abilities and options for securing a computing environment found in Dubrovsky et al to protect against network attacks conversely Dubrovsky et al. provides a more robust understanding of potential environments and response mechanisms to a detected malicious code.

As Per Claim 8: The rejection of claim 7 is incorporated and further Dubrovsky et al. teaches:  
- the computer in the cloud computing environment


Dubrovsky et al. does not explicitly teach the following limitations however Shukla in analogous art does teach the following limitations:
- executes the instructions associated with instrumentation code when the analysis is performed. 
	(Shukla, Paragraph [0032], “In one embodiment of the present invention, a network accessible computer system with plurality of operating systems and applications is protected using a sandbox against attacks that exploit application vulnerabilities. The application sandbox prevents attacks, detects and removes malware based on an elastic or adaptive limits on application behavior. Sandbox for an application, or a module inside the application, is a collection of rules that enforce the limits on its actions. The sandbox operates by establishing boundaries for application behavior that the application must not exceed. The behavior of an application includes actions such as file system access, network access, registry access, data transfer, code execution, system monitoring etc. Given a set of rules, the sandbox can ensure that the application does not exceed the bounds as specified by the rule set.”). 
	It would have be obvious to one of ordinary skill in the art prior to filing of the application to incorporate the teachings of Shukla into the method of Dubrovsky et al. as Shukla provides a detailed significant enhancement to the analyses abilities and options for securing a computing environment found 

As Per Claim 9: Claim 9 is substantially a restatement of the method of claim 1 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 10: The rejection of claim 9 is incorporated and further claim 10 is substantially a restatement of the method of claim 2 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 11: The rejection of claim 10 is incorporated and further claim 11 is substantially a restatement of the method of claim 3 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 12: The rejection of claim 9 is incorporated and further claim 12 is substantially a restatement of the method of claim 5 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 13: The rejection of claim 12 is incorporated and further claim 13 is substantially a restatement of the method of claim 6 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 14: The rejection of claim 9 is incorporated and further claim 14 is substantially a restatement of the method of claim 7 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 15: The rejection of claim 14 is incorporated and further claim 15 is substantially a restatement of the method of claim 8 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 16: Claim 16 is substantially a restatement of the method of claim 1 as a system and is rejected under substantially the same reasoning.

As Per Claim 17: The rejection of claim 16 is incorporated and further claim 17 is substantially a restatement of the method of claim 2 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 18: The rejection of claim 17 is incorporated and further claim 18 is substantially a restatement of the method of claim 3 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 19: The rejection of claim 16 is incorporated and further claim 19 is substantially a restatement of the method of claim 4 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

As Per Claim 20: The rejection of claim 16 is incorporated and further claim 20 is substantially a restatement of the method of claim 5 as a non-transitory computer readable medium and is rejected under substantially the same reasoning.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/BENJAMIN A KAPLAN/Examiner, Art Unit 2434