DETAILED ACTION
1.	This office action is in response to the communication filed on 04/20/2021.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
3.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17€, was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17€ has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 04/20/2021 has been entered.

EXAMINER’S AMENDMENT
4.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in the telephone interview, on 04/29/2021, with attorney Myrna M. Schelling (Reg. No. 54,426).
The application has been amended as follows: 

1.  (Currently Amended)  A system for identifying and analyzing system calls to identify potentially malicious software code, the system comprising:
	a processor comprising a performance monitoring unit and configured to run an operating system, the operating system comprising a kernel; 
	a system call monitoring module, executed by the processor, for configuring the performance monitoring unit to: 
identify a system call to the kernel, by counting one or more FAR branches that are destined for the kernel, thereby encapsulating a system call instruction that generates the system call, wherein the system call comprises the one or more FAR branches; and
generate monitoring data from the system call that comprises at least two of information about a path to a file to be accessed by the system call, a memory address or range of addresses to be accessed by the system call, information about a socket that is being used by the system call in order to send or receive data, as well as history of system calls in order to monitor for specific sequences of system calls; and
	 a data analysis module, executed by the processor, to analyze the monitoring data in light of previously stored data, to learn from the previously stored data and the monitoring data, and to generate an alert based on the 

17.  (Currently Amended)  A method for identifying and analyzing system calls to identify potentially malicious software code in a system comprising a processor, the processor further comprising a performance monitoring unit, the method comprising:
	running, by the processor, an operating system comprising a kernel;
	configuring, by a system call monitoring module, the performance monitoring unit; 
identifying, by the performance monitoring unit, a system call to the kernel, by counting one more FAR branches that are destined for the kernel, thereby encapsulating a system call instruction that generates the system call, wherein the system call comprises the one or more FAR branches; [[and]]	
generating monitoring data at least two of information about a path to a file to be accessed by the system call, a memory address or range of addresses to be accessed by the system call, information about a socket that is being used by the system call in order to send or receive data, as well as history of system calls in order to monitor for specific sequences of system calls;
	analyzing the monitoring data, by a data analysis module, in light of previously stored data; 

generating, by the data analysis module, an alert based on the monitoring data, the alert indicating that the system call was generated by potentially malicious software code.

30.  (Currently Amended)  A non-transitory computer-readable storage medium having embodied thereon a program, the program executable by a processor to perform a method for identifying and analyzing system calls to identify potentially malicious software code in a system comprising a processor, the processor further comprising a performance monitoring unit, the method comprising:
	running, by the processor, an operating system comprising a kernel;
	configuring, by a system call monitoring module, the performance monitoring unit; 
identifying, by the performance monitoring unit, a system call to the kernel, by counting one more FAR branches that are destined for the kernel, thereby encapsulating a system call instruction that generates the system call, wherein the system call comprises the one or more FAR branches;
generating monitoring data from the system call that comprises at least two of information about a path to a file to be accessed by the system call, a memory address or range of addresses to be accessed by the system call, information about a socket that is being used by the system call in order to send or receive data, as well as history of system calls in order to monitor for specific sequences of system calls;
	analyzing the monitoring data, by a data analysis module, in light of previously stored data; 
learning, by the data analysis module, from the previously stored data and the monitoring data; and
generating, by the data analysis module, an alert based on the monitoring data, the alert indicating that the system call was generated by potentially malicious software code. 




31.  (Currently Amended) The non-transitory computer-readable storage medium of claim 30, the method further comprising
	

32.  (Currently Amended) The non-transitory computer-readable storage medium of claim 31, wherein the action comprises suspending or deleting the potentially malicious code from being further executed by the processor.

33.  (Currently Amended)  The non-transitory computer-readable storage medium of claim 31, wherein the action comprises adding the potentially malicious code to a list of code to not be executed by the processor.

34.  (Currently Amended)  The non-transitory computer-readable storage medium of claim 31, wherein the action comprises instructing the kernel to ignore the system call.

Allowable Subject Matter
5.	In light of the examiner amendment authorized by the applicant’s representative, claims 1, 9, 13-17 and 19-34 are allowed.

6.	The following is an examiner’s statement of reasons for allowance: 
The present invention is directed toward a method for monitoring system calls to an operating system kernel.  Independent claims 1, 17 and 30 identify the uniquely distinct features to identify a system call comprising one or more FAR branches to a kernel; counting the one or more FAR branches that are destined for the kernel; generate monitoring data from the system call that comprises at least two of information about a path to a file to be accessed by the system call, a memory address or range of addresses to be accessed by the system call, information about a socket that is being used by the system call in order to send or receive data, as well as history of system calls in order to monitor for specific sequences of system calls; analyze the monitoring data in light of previously stored data, and generate an alert based on the monitoring data, the alert indicating that the system call was generated by potentially malicious software code, taken in combination with the remaining limitations of the independent claims are not found in and/or are not obvious in view of the closest recorded prior arts.
One of the closest prior art, Fiala et al. (US 20150150130 A1), discloses a method to detect malicious behavior of an application seeking root access to a computing system, wherein system/function calls made by the application are analyzed to detect malicious behavior of the application. The other closest prior art, Ding et al. 
Therefore, claims 1, 17, 30, and the respective dependent claims 9, 13-16 and 19-29, 31-34 are in condition for allowance.

Conclusion
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID, can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  

/HUAN V DOAN/Primary Examiner, Art Unit 2437