Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/063,195 is presented for examination by the examiner.



Election/Restriction
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-28, drawn to detecting comprised software during execution, classified in 21/566.
II. Claims 29-30, drawn to monitoring execution of a software program at runtime, classified in 21/52.

The inventions are independent or distinct, each from the other because:
Inventions I and II are related as subcombinations disclosed as usable together in a single combination.  The subcombinations are distinct if they do not overlap in scope and are not obvious variants, and if it is shown that at least one subcombination is separately usable.  In the instant case, subcombination I has separate utility such as  has separate utility such as detecting granular code blocks and does not require the probabilistic software model representation of an expected normal execution of a software program of subcombination I.  See MPEP § 806.05(d).
The examiner has required restriction between subcombinations usable together. Where applicant elects a subcombination and claims thereto are subsequently found allowable, any claim(s) depending from or otherwise requiring all the limitations of the allowable subcombination will be examined for patentability in accordance with 37 CFR 1.104.  See MPEP § 821.04(a).  Applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the present application, such claim may be subject to provisional statutory and/or nonstatutory double patenting rejections over the claims of the instant application. 
Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply:
the inventions have acquired a separate status in the art in view of their different classification
the inventions have acquired a separate status in the art due to their recognized divergent subject matter
the inventions require a different field of search (e.g., searching different classes /subclasses or electronic resources, or employing different search strategies or search queries).
.
Applicant is advised that the reply to this requirement to be complete must include (i) an election of a invention to be examined even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected invention. 
The election of an invention may be made with or without traverse. To reserve a right to petition, the election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the restriction requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable upon the elected invention.
Should applicant traverse on the ground that the inventions are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing the inventions to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the inventions unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103 or pre-AIA  35 U.S.C. 103(a) of the other invention.
Ryan Schneider on 3/26/21 a provisional election was made without traverse to prosecute the invention of group I, claims 1-28.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 29 and 30 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.
Applicant is reminded that upon the cancellation of claims to a non-elected invention, the inventorship must be corrected in compliance with  37 CFR 1.48(a) if one or more of the currently named inventors is no longer an inventor of at least one claim remaining in the application. A request to correct inventorship under 37 CFR 1.48(a) must be accompanied by an application data sheet in accordance with 37 CFR 1.76 that identifies each inventor by his or her legal name and by the processing fee required under 37 CFR 1.17(i).


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –








Claims 1-28 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by USP Application Publication  2016/0342791 to Gonzalez et al., hereinafter Gonzalez.

As per claim 1, Gonzalez teaches receiving a signal from a monitored device [target device] comprising hardware and running a software program (0006); and
 monitoring the signal representative of an actual execution [side-channel information] of the software program running on the monitored device based upon (0024 and 0034): 
a probabilistic software model representative of an expected normal execution of the software program running on the monitored device (software model of same code; 0054); and 
an expected normal set of hardware/software interaction events [app events] of the software program running on the monitored device [model building the target device (0046) by testing the device in a known good state (0051) with various input vectors to trigger operation of the device and use this as one of the bases for comparison to actual detected signals; 0034).

As per claim 12, Gonzalez teaches receiving a signal from a monitored device comprising hardware and running a software program (0006); and 

a probabilistic software model representative of an expected normal execution of the software program running on the monitored device (software model of same code; 0054); and 
a probabilistic hardware-software interaction model representative of an expected normal set of hardware/software interaction events of the software program running on the monitored device [model building the target device (0046) by testing the device in a known good state (0051) with various input vectors to trigger operation of the device and use this as one of the bases for comparison to actual detected signals; 0034).  Both models, which are part of the reference data, are fed back into the PFP references database 207 so that PFP analytics will be able to retrieve the reference data and compare it to the side-channel information for anomaly detection.  Gonzalez model both how the program is supposed to execute and how it is supposed to interact with the hardware of the target system (see 0087).

As per claim 24, Gonzalez teaches a method comprising: 
storing a set of predicted computational activities reflective of a processing activity of a monitored device that is uncompromised (0034); 
wirelessly receiving [205/206 wirelessly receive signals through wireless network 204; 0029] signals emanating from the monitored device [target device produces electromagnetic emissions; 22], the signals reflective of a set of actual computational activities of the monitored device during the processing activity (0024 and 0034); 

transmitting data indicative of the probability that an anomalous event exists (0041); wherein if the probability that an anomalous event evidences an actual anomalous event, the data indicative of the actual anomalous event comprises: 
at what point in the processing activity the anomalous event occurred [gathering intelligence and forensic information from the attack] (0087 and 0103); and 
when the anomalous event occurred [logs] (0037 and 0103).

As per claims 2 and 13, Gonzalez teaches the probabilistic software model defines a set of program executions that are possible during the expected normal execution of the program executions on the monitored device (0046 and 0047).
As per claims 3 and 16, Gonzalez teaches determining a probability that the monitored device is compromised (0036 and 0038).
As per claims 4 and 17, Gonzalez teaches determining that the monitored device is compromised is based upon the monitoring of the signal representative of the actual execution of the software program running on the monitored device (0036).
As per claims 5 and 18, Gonzalez teaches determining that the monitored device is compromised comprises applying signal processing to the received signal to compute 
As per claims 6 and 19, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device [side channel info on app events]; and the expected normal execution of the software program running on the monitored device [reference data; 0034 and 0035].
As per claims 7 and 20, Gonzalez teaches determining the probability that the monitored device is compromised is based upon a difference between: the actual execution of the software program running on the monitored device (0034); and both the expected normal execution of the software program running on the monitored device (0035 and 0087) and the expected normal execution of the set of hardware/software interaction events of the software program running on the monitored device (0046 and 0051).
As per claims 8, 21, and 27, Gonzalez teaches performing spectral monitoring on the signal to identify a loop or program module of program code in the actual execution of the software program running on the monitored device (0028, 0031, and 0098).
As per claims 9 and 22, Gonzalez teaches determining code blocks [code segment] executed by the monitored device corresponding to the signal (0087); wherein at least one code block is selected from the group consisting of a loop and a program module [program segment/key instructions] of program code (0087).
As per claims 10 and 23, Gonzalez teaches the probabilistic software model comprises one or more of a control flow graph at basic code block granularity, 
As per claim 11, Gonzalez teaches the expected normal set of hardware/software interaction events of the software program running on the monitored device is based upon a probabilistic hardware-software interaction model (0046 and 0051).
As per claim 14, Gonzalez teaches the probabilistic hardware-software interaction model defines a set of hardware/software interaction events that are possible at each point [key instructions along the execution path] during the expected normal software execution of the program executions on the monitored device (0082 and 0087).
As per claim 15, Gonzalez teaches one or both of: the probabilistic SW model defines a set of program executions that are possible during the expected normal execution of the program executions on the monitored device (0046, 0047, and 0052); 
and the probabilistic hardware-software interaction model defines a set of hardware/software interaction events that are possible at each point during the expected normal software execution of the program executions on the monitored device (0082 and 0087).
As per claim 25, Gonzalez teaches the set of predicted computational activities is provided by a software model and a hardware-software interaction model of the monitored device (0046, 0051, and 0046).

.


Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
NPL: "Practicality of using side-channel analysis for software integrity checking of embedded systems" is related:  “We explore practicality of using power consumption as a non-destructive non-interrupting method to check integrity of software in a microcontroller. We explore whether or not instructions can lead to consistently distinguishable side-channel information, and if so, how the side-channel characteristics differ.” (Abstract) 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431