Remarks
Claims 1-30 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/1/2021 has been entered.
 
Response to Arguments
Applicant's arguments filed 2/1/2021 have been fully considered but they are not persuasive.
Applicant alleges “Regardless of whether Flores discloses the elements for which it is cited, Applicants respectfully submit that Flores fails to provide any disclosure or suggestion for the elements of ‘determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based a current permission of the software application and a previously observed connection request action of the software application’ as is recited or analogously recited in the amended independent claims.”  However, Applicant fails to provide any reasons for such an argument.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Furthermore, Flores is not cited for the entirety of the argued subject matter.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Flores is cited below as disclosing determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based on an analysis of a previously observed connection request action of the software application in Flores’ disclosure of increasing weight of a program, programs that include at least one call to a function or API, detecting API calls, potential malware infection instances, “reducing the list of all programs on the system to only a  subset of programs that receive message from the operating system”, reducing the subset to an even smaller subset, etc., monitoring an application's execution path, calls, calls to other programs/modules, transmission of data to a third party or remote computer over a network, interactions between program and external programs/modules, attempts to activate external modules, calls to update software/OS, 
Applicant alleges that “the Office Action tacitly admits that Flores and Converse does not disclose or suggest the elements of ‘determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based on an analysis of a current permission of the software application and a previously observed connection request action of the software application.’  See id.”  This is an outright untrue statement that Applicant has not cited any portion of the office action as admitting.  First, this is the amended subject matter which could not possibly have been rejected or admitted as not being within anything before.  Second, the office action clearly stated that Flores discloses:
Determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based on an analysis of a previously observed action of the software application (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 34-36, and 40 and associated figures; increasing weight of a program, programs that include at least one call to a function or API, detecting API calls, potential malware infection instances, “reducing the list of all programs on the system to only a  subset of programs that receive message from the operating system”, reducing the 
Therefore, the previous office action could not have admitted what Applicant alleges (since the amendments being argued were not present for rejection thereby) and the previous office action clearly stated that Flores disclosed the majority of what Applicant is alleging here.  Applicant is respectfully requested to refrain from providing untrue statements in the future.  
Applicant provides no argument against any subject matter for which Converse is cited.  
Applicant goes on to provide false statements about alleged admissions on page 14 of the response again.  This has been responded to above.  Once again, Applicant is requested to refrain from providing false statements in the future.  
Applicant appears to copy in the Paul portion of the rejection, alleges “Applicants respectfully disagree with the characterization of the teachings of Paul as set forth in the Office Action”, copies in a portion of Paul, and alleges “That is, the portions of Paul cited in the Office Action disclose computing a security score based on ‘application permissions which determine what the application is capable of accessing’ and ‘real-time analysis of app behavior in the cloud.’  Id. (emphasis added).  Regardless, the cited portions (and the remaining portions) of Paul do not provide any disclosure or suggestion for the elements of ‘determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based on an analysis of a current permission of the software application and a previously observed connection request action of the software application’ as is recited or analogously recited in the amended independent claims.”  However, Applicant fails to provide any actual argument here and, rather, simply provides a general allegation with no reasoning set forth whatsoever.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Furthermore, Paul is not cited as disclosing the entirety of the argued subject matter.  As shown above, Flores is cited as disclosing determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based on an analysis of a previously observed connection request action of the software application.  Paul discloses that the probability is determined based on an analysis of a current permission of the software application in Paul’s disclosure of a security score based on security analysis, application permissions, reputation, feedback, app behavior, etc., as examples.  Applicant has provided no argument against this fact.  
Therefore, the combination of Flores in view of Converse and Paul discloses the entire determining limitation being argued.  

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-30 are rejected under 35 U.S.C. 103 as being unpatentable over Flores (U.S. Patent Application Publication 2007/0240215) in view of Converse (U.S. Patent Application Publication 2005/0166072) and Paul (U.S. Patent 9,369,433).

Flores discloses a method implemented in a honeypot system for triggering malicious activities by applications, comprising:
Determining, via a processor of a computing device, a probability that a software application currently executing on the computing device is capable of launching a malicious activity, wherein the probability is determined based on an analysis of a previously observed connection request action of the software application (Entire Document, for example, Abstract, Paragraphs 11, 15-18, 20-25, 28-31, 34-36, and 40 and associated figures; increasing weight of a program, programs that include at least one call to a function or API, detecting API calls, potential malware infection instances, “reducing the list of all programs on the system to only a  subset of programs that receive message from the operating system”, reducing the subset to an even smaller subset, etc., monitoring an application's execution path, calls, calls to other programs/modules, transmission of data to a third party or remote computer over a network, interactions between program and external programs/modules, attempts to activate external modules, calls to update software/OS, network communications, network accesses by viruses looking to spread, etc., as examples);
Designating, via the processor, the software application as a target application in response to determining that the determined probability exceeds a threshold value (Entire Document, for example, Abstract, 
Monitoring, via the processor, activities of the designated target application to collect behavior information (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; monitoring activities and behavior, for example);
Analyzing, via the processor, the collected behavior information to predict a triggering condition that the designated target application requires to be present in the computing device before it will exhibit the malicious activity (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; triggering conditions could be APIs, external function calls, state machines, other calls, etc., as examples);
Provisioning, via the processor, one or more resources based on the predicted triggering condition (Entire Document, for example, Abstract, 
Monitoring, via the processor, activities of the designated target application corresponding to the provisioned resource (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; monitoring for the various triggers, for example); and
Determining, via the processor, whether the designated target application is malicious based on the monitored activities (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; putting a program on a watch list, identifying a program as potentially malicious, going through a set of programs in order to determine subsets of each subset in order to determine a smaller subset of potentially malicious applications, etc., as examples);
But does not appear to explicitly disclose that the probability is determined based on an analysis of a current permission of the software application.  
Converse also discloses monitoring, via the processor, activities of the designated target application to collect behavior information (Entire 
Analyzing, via the processor, the collected behavior information to predict a triggering condition that the designated target application requires to be present in the computing device before it will exhibit the malicious activity (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; any form of triggering condition, such as a specific vulnerability, a specific method of exploiting a vulnerability, a probe, a new vulnerability just discovered, a method of exploiting such a new vulnerability, etc., as examples);
Provisioning, via the processor, one or more resources based on the predicted triggering condition (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; any resources provisioned for monitoring, creating a honeypot, morphing the honeypot, emulating new services, modifying currently emulated services, etc., as examples);
Monitoring, via the processor, activities of the designated target application corresponding to the provisioned resource (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; 
Determining, via the processor, whether the designated target application is malicious based on the monitored activities (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; determining that a particular client is malicious, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant's invention, which is before any effective filing date of the claimed invention, to incorporate the morphing honeypot techniques of Converse into the malicious program detection system of Flores in order to better lure malicious users in, provide a more attractive honeypot, provide additional information for tracking a malicious client, stay up to the date with respect to vulnerabilities, dynamically change the honeypot and monitoring system, and/or increase security in the system.  
Paul, however, discloses that the probability is determined based on an analysis of a current permission of the software application (Exemplary Citations: for example, Column 24, line 42 to Column 25, line 30; security score based on security analysis, application permissions, reputation, feedback, app behavior, etc., as examples).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the score creation and usage techniques of Paul into the 
Regarding Claim 15,
Claim 15 is a device claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 29,
Claim 29 is a medium claim that is broader than method claim 1 and is rejected for the same reasons.  
Regarding Claim 30,
Claim 30 is a device claim that is broader than method claim 1 and is rejected for the same reasons.  
Regarding Claim 2,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that monitoring activities of the designated target application comprises monitoring a group of applications (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; the system monitors multiple applications for the same calls (e.g., API calls), for example); and
Converse discloses that monitoring activities of the designated target application comprises monitoring a group of applications (Entire 
Regarding Claim 16,
Claim 16 is a device claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 3,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses determining, via the processor, whether the software application currently executing on the computing device is potentially malicious (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; determining whether an application is malicious, for example).  
Regarding Claim 17,
Claim 17 is a device claim that corresponds to method claim 3 and is rejected for the same reasons.  
Regarding Claim 4,
Flores as modified by Converse and Paul discloses the method of claim 3, in addition, Flores discloses that determining whether the software application currently executing on the computing device is potentially malicious includes analyzing at least one of a permission of the software application corresponding to accessing a resource of the 
Converse discloses that determining whether the software application is potentially malicious includes analyzing at least one of a permission of the software application corresponding to accessing a resource of the computing device or stored activity data indicating a previous activity of the software application (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; activity log, determining if a probe uses a previously used piece of data (e.g., IP address, SSID, WEP key), etc., as examples).  
Regarding Claim 18,
Claim 18 is a device claim that corresponds to method claim 4 and is rejected for the same reasons.  
Regarding Claim 5,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that provisioning the one or more resources based on the predicted triggering condition includes at least one of provisioning a device component based on the predicted triggering condition or provisioning data based on the predicted triggering condition 
Converse discloses that provisioning the one or more resources based on the predicted triggering condition includes at least one of provisioning a device component based on the predicted triggering condition or provisioning data based on the predicted triggering condition (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; as above, additionally, the honeypot may include virtually any form of honeypot, such as façade directories, files, servers, etc., as examples).  
Regarding Claim 19,
Claim 19 is a device claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 6,
Flores as modified by Converse and Paul discloses the method of claim 5, in addition, Flores discloses provisioning the device component based on the predicted triggering condition comprises provisioning at least one of an installed application, an operating system, a network interface, a 
Converse discloses provisioning the device component based on the predicted triggering condition comprises provisioning at least one of an installed application, an operating system, a network interface, a processing unit, a data storage unit, a coupled device, an output unit, an input unit, or a sensor (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures).  
Regarding Claim 20,
Claim 20 is a device claim that corresponds to method claim 6 and is rejected for the same reasons.  
Regarding Claim 7,
Flores as modified by Converse and Paul discloses the method of claim 5, in addition, Flores discloses that provisioning the data based on the predicted triggering condition comprises provisioning at least one of a contact list, a stored file, personal information, networking conditions data, subscription information, location information, system information, known vulnerability information, or sensor data (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures); and

Regarding Claim 8,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that predicting the triggering condition that will cause the designated target application to launch the malicious activity includes evaluating a permission of the designated target application, a resource previously accessible to the designated target application, or stored activity data indicating a previous activity of the designated target application (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; going through each call in the execution path, then following another execution path in sequence, for example); and
Converse discloses that predicting the triggering condition that will cause the designated target application to launch the malicious activity includes evaluating a permission of the designated target application, a resource previously accessible to the designated target application, or stored activity data indicating a previous activity of the designated target 
Regarding Claim 22,
Claim 22 is a device claim that corresponds to method claim 8 and is rejected for the same reasons.  
Regarding Claim 9,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that provisioning the one or more resources based on the predicted triggering condition includes: adjusting a resource previously visible on the designated target application based on the predicted triggering condition, or configuring a resource that was previously invisible to the designated target application so that the resource becomes visible to the designated target application (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; creating honeypot, for example); and
Converse discloses that provisioning the one or more resources based on the predicted triggering condition includes: adjusting a resource previously visible on the designated target application based on the predicted triggering condition, or configuring a resource that was previously invisible to the designated target application so that the resource becomes visible to the designated target application (Entire 
Regarding Claim 23,
Claim 23 is a device claim that corresponds to method claim 9 and is rejected for the same reasons.  
Regarding Claim 10,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that provisioning the one or more resources based on the predicted triggering condition comprises creating a virtual resource based on the predicted triggering condition, wherein the virtual resource represents an emulated device component, data that is not present within the computing device, or data that is not supported by the computing device (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; honeypot, for example); and
Converse discloses that provisioning the one or more resources based on the predicted triggering condition comprises creating a virtual resource based on the predicted triggering condition, wherein the virtual resource represents an emulated device component, data that is not present within the computing device, or data that is not supported by the computing device (Entire Document, for example, Abstract, Paragraphs 
Regarding Claim 24,
Claim 24 is a device claim that corresponds to method claim 10 and is rejected for the same reasons.  
Regarding Claim 11,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that monitoring activities of the designated target application corresponding to the provisioned resources comprises detecting an API call made by the designated target application (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; monitoring for API calls, for example).  
Regarding Claim 25,
Claim 25 is a device claim that corresponds to method claim 11 and is rejected for the same reasons.  
Regarding Claim 12,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses that determining whether the designated target application is malicious based on the monitored activities comprises evaluating the monitored activities and evaluating stored activity data indicating previous activities of the designated target 
Converse discloses that determining whether the designated target application is malicious based on the monitored activities comprises evaluating the monitored activities and evaluating stored activity data indicating previous activities of the designated target application (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 87, 92, 99, 102, 104, and 111-114 and associated figures; any use of activity log, database, etc., for example).  
Regarding Claim 26,
Claim 26 is a device claim that corresponds to method claim 12 and is rejected for the same reasons.  
Regarding Claim 13,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses updating stored activity data for the designated target application in response to determining that the designated target application is malicious, wherein the stored activity data includes information regarding the provisioned resources (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; updating previous data, such as weightings, for example); and

Regarding Claim 27,
Claim 27 is a device claim that corresponds to method claim 13 and is rejected for the same reasons.  
Regarding Claim 14,
Flores as modified by Converse and Paul discloses the method of claim 1, in addition, Flores discloses transmitting a report message indicating the predicted triggering condition in response to determining that the designated target application is malicious (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures; any report to any entity regarding a malicious application, for example); and
Converse discloses transmitting a report message indicating the predicted triggering condition in response to determining that the designated target application is malicious (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 66, 70, 71, 74, 76-82, 85, 
Regarding Claim 28,
Claim 28 is a device claim that corresponds to method claim 14 and is rejected for the same reasons.  
Regarding Claim 21,
Flores as modified by Converse and Paul discloses the device of claim 19, in addition, Flores discloses that the processor is configured with processor executable instructions to perform operations such that provisioning the data based on the predicted triggering condition comprises provision at least one of a contact list, a stored file, personal information, networking conditions data, subscription information, location information, system information, known vulnerability information, or sensor data (Entire Document, for example, Abstract, Paragraphs 11, 16-18, 20-25, 28-31, 35, 36, and 40 and associated figures); and
Converse discloses that the processor is configured with processor executable instructions to perform operations such that provisioning the data based on the predicted triggering condition comprises provision at least one of a contact list, a stored file, personal information, networking conditions data, subscription information, location information, system information, known vulnerability information, or sensor data (Entire Document, for example, Abstract, Paragraphs 37, 39-45, 47, 48, 51, 55, 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432