DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-3, 6-10, 13-17, 20 and 21 are allowed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/13/20, 1/14/20 and 1/22/20 are being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Michael Dergosits on 7/31/20.
The application has been amended as follows: 
(Currently Amended) A method comprising:
receiving, by a decision component executing on a mobile communications device (MCD), data from a known bad component executing on the MCD, the data including first information regarding a set of requests and second information regarding a set of user responses to the set of requests, after: 
the data was analyzed, by a known good component executing on the MCD, in an attempt to determine whether the data is safe, the determination being that the known good component does not consider the data to be safe; and

analyzing, by the decision component, the data to determine whether the data is safe or malicious by analyzing the first information and the second information for a temporal component indicative of malicious behavior, the data being determined to be safe when the analysis of the data does not find a temporal component indicative of malicious behavior and the data being determined to be malicious when the analysis of the data finds a temporal component indicative of malicious behavior; and
when the decision component determines that the data is safe, allowing the data to be further processed by the MCD; or
when the decision component determines that the data is malicious, preventing the data from being further processed by the MCD.

(Currently Amended) The method of claim 1, wherein the analyzing, by the decision component, the data to determine whether the data is safe further includes:
assessing, by the decision component, the data to determine whether the data contains first characteristics that are characteristic of safe data;
assessing, by the decision component, the data to determine whether the data contains second characteristics that are characteristic of malicious data; and
assigning, by the decision component, a degree the data is safe or malicious based on the determined first and second characteristics, the degree representing a location on a scale between the data being safe and the data being malicious.

(Currently Amended) The method of claim 2, wherein:
the data is determined to be safe when the location on the scale indicates the data is more safe than malicious and when the analysis of the data does not find a temporal component indicative of malicious behavior; and
the data is determined to be malicious when the location on the scale indicates the data is more malicious than safe and when the analysis of the data finds a temporal component indicative of malicious behavior.

(Cancelled)  
(Cancelled)

(Currently Amended) The method of claim [[4]] 1, wherein the temporal component is indicative of one of:  
an attempt to frustrate the user;
a denial of service attack;  or
a port scan attack.

(Currently Amended) The method of claim 1, wherein the analyzing the data to determine whether the data is safe includes analyzing the data to determine whether:
the data includes false data, or 
a purported origin of the data is not legitimate; and
the data is determined to be safe when the analysis of the data determines the data does not include false data and the purported origin is legitimate and when the analysis of the data does not find a temporal component indicative of malicious behavior; and
 and when the analysis of the data finds a temporal component indicative of malicious behavior.

(Currently Amended) A non-transitory, computer-readable storage medium having stored thereon a plurality of instructions, which, when executed by a processor of a mobile communications device (MCD), cause the MCD to:
receive, by a decision component executing on the MCD, data from a known bad component executing on the MCD, the data including first information regarding a set of requests and second information regarding a set of user responses to the set of requests, after: 
the data was analyzed, by a known good component executing on the MCD, in an attempt to determine whether the data is safe, the determination being that the known good component does not consider the data to be safe; and
the data was analyzed, by the known bad component executing on the MCD, in an attempt to determine whether the data is malicious, the determination being that the known bad component does not consider the data to be malicious;
analyze, by the decision component, the data to determine whether the data is safe or malicious by analyzing the first information and the second information for a temporal component indicative of malicious behavior, the data being determined to be safe when the analysis of the data does not find a temporal component indicative of malicious behavior and the data being determined to be malicious when the analysis of the data finds a temporal component indicative of malicious behavior; and
allow the data to be further processed when the decision component determines that the data is safe; or


(Currently Amended) The computer-readable storage medium of claim 8, wherein the instructions to analyze, by the decision component, the data to determine whether the data is safe includes further instructions to:
assess, by the decision component, the data to determine whether the data contains first characteristics that are characteristic of safe data;
assess, by the decision component, the data to determine whether the data contains second characteristics that are characteristic of malicious data; and
assign, by the decision component, a degree the data is safe or malicious based on the determined first and second characteristics, the degree representing a location on a scale between the data being safe and the data being malicious.

(Currently Amended t) The computer-readable storage medium of claim 9, wherein:
the data is determined to be safe when the location on the scale indicates the data is more safe than malicious and when the analysis of the data does not find a temporal component indicative of malicious behavior; and
the data is determined to be malicious when the location on the scale indicates the data is more malicious than safe and when the analysis of the data finds a temporal component indicative of malicious behavior.

(Cancelled)
(Cancelled) 

(Currently Amended)  The computer-readable storage medium of claim [[11]] 8, wherein the temporal component is indicative of one of:  
an attempt to frustrate the user;
a denial of service attack; or
a port scan attack.

(Currently Amended) The computer-readable storage medium of claim 8, wherein the analyzing the data to determine whether the data is safe includes analyzing the data to determine whether:
the data includes false data, or 
a purported origin of the data is not legitimate; and
the data is determined to be safe when the analysis of the data determines the data does not include false data and the purported origin is legitimate and when the analysis of the data does not find a temporal component indicative of malicious behavior; and
the data is determined to be malicious when the analysis of the data determines the data does includes false data or the purported origin is not legitimate and when the analysis of the data finds a temporal component indicative of malicious behavior.

(Currently Amended) A system, comprising a mobile communications device (MCD) with at least one processor and memory and instructions that when executed by the at least one processor cause the MCD to:  
, the data including first information regarding a set of requests and second information regarding a set of user responses to the set of requests, after: 
the data was analyzed, by a known good component executing on the MCD, in an attempt to determine whether the data is safe, the determination being that the known good component does not consider the data to be safe; and
the data was analyzed, by the known bad component executing on the MCD, in an attempt to determine whether the data is malicious, the determination being that the known bad component does not consider the data to be malicious;
analyze, by the decision component, the data to determine whether the data is safe or malicious by analyzing the first information and the second information for a temporal component indicative of malicious behavior, the data being determined to be safe when the analysis of the data does not find a temporal component indicative of malicious behavior and the data being determined to be malicious when the analysis of the data finds a temporal component indicative of malicious behavior; and
allow the data to be further processed when the decision component determines that the data is safe; or
prevent the data from being further processed when the decision component determines that the data is malicious.

(Currently Amended) The system of claim 15, wherein the instructions to analyze, by the decision component, the data to determine whether the data is safe includes further instructions to:
assess, by the decision component, the data to determine whether the data contains first characteristics that are characteristic of safe data;

assign, by the decision component, a degree the data is safe or malicious based on the determined first and second characteristics, the degree representing a location on a scale between the data being safe and the data being malicious.

(Currently Amended) The system of claim 16, wherein:
the data is determined to be safe when the location on the scale indicates the data is more safe than malicious and when the analysis of the data does not find a temporal component indicative of malicious behavior; and
the data is determined to be malicious when the location on the scale indicates the data is more malicious than safe and when the analysis of the data finds a temporal component indicative of malicious behavior.

(Cancelled)
(Cancelled)

(Currently Amended)  The system of claim [[18]] 15, wherein the temporal component is indicative of one from the group of:  
an attempt to frustrate the user;
a denial of service attack; and
a port scan attack.

(Currently Amended) The system of claim 15, wherein the analyzing the data to determine whether the data is safe includes analyzing the data to determine whether:
the data includes false data, or 
a purported origin of the data is not legitimate; and
the data is determined to be safe when the analysis of the data determines the data does not include false data and the purported origin is legitimate and when the analysis of the data does not find a temporal component indicative of malicious behavior; and
the data is determined to be malicious when the analysis of the data determines the data does includes false data or the purported origin is not legitimate and when the analysis of the data finds a temporal component indicative of malicious behavior.


Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
Tuvell et al. U.S. Pub. No. 20070240218 discloses a method of detecting malware based on comparison of hash values/signatures of known suspect application.
Lee U.S. Pat. No. 8127358 discloses a method of scanning a file for malicious code locally by a mobile device using previously scanned files scanned by server to minimize network traffic.
The prior art of record does not explicitly disclose, in light of other features recited in independent claims, the data including first information regarding a set of requests and second information regarding a set of user responses to the set of requests, analyzing, by the decision component, the data to determine whether the data is safe or malicious by analyzing the first information and the second information for a temporal component indicative of malicious behavior, the data being determined to be safe when the analysis of the data does not find a temporal component indicative of malicious behavior and the data being determined to be malicious when the analysis of the data finds a temporal component indicative of malicious behavior.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kim et al. U.S. Pub. No. 20100313270 discloses method for detecting energy consumption anomalies and mobile malware variants.
Barash et al. U.S. Pub. No. 20100332593 discloses method for operating an anti-malware network on a cloud computing platform.
Ollmann U.S. Pub. No. 20100154032 discloses method for classification of unwanted or malicious software through the identification of encrypted data communication.
Featherstone et al. U.S. Pub. No. 20080318562 discloses method for monitoring the context associated with a mobile communication device.
Szor U.S. Pub. No. 20090293125 discloses centralized scanner database with optimal definition distribution using network queries.
Soderberg et al. U.S. Pub. No. 20080235801 discloses combining assessment models and client targeting to identify network security vulnerabilities.
Tahir et al. U.S. Pub. No. 20130276124 discloses method for providing mobile device protection.
Zhao et al. U.S. Pub. No. 20130055405 discloses method for mobile information security protection.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789.  The examiner can normally be reached on Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431                                                                                                                                                                                                        S