DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-25 are pending in this application.
Claims 1-4, 13-16 and 25 are currently amended.
No new IDS has been filed.

Response to Arguments
The previous 103 rejections to the claims 1-25 have been withdrawn in response to the applicants’ amendments/remarks.

Allowable Subject Matter
Claims 1, 5-13 and 17-31 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additional be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner's amendment was given via email with Kevin Kunzendorf (Reg. no. 58,308) on 5/7/2021.
  

IN THE CLAIMS


1. (currently amended):  	A method comprising:
rolling back, by at least one processor, a virtual machine to an initiating state in response to detecting a trigger event of the virtual machine;
loading, in the initiating state by the at least one processor, page content of a target URL using the virtual machine;
running, using the virtual machine by the at least one processor, an application program linked to the page content;
obtaining, by the at least one processor, a first system file snapshot file by copying a system file of the virtual machine in the initiating state before loading the page content;
obtaining, by the at least one processor, a second system file snapshot file by copying a system file of the virtual machine in the state in which the loading of the page content is completed; and
obtaining, by the at least one processor, a third system file snapshot file by copying a system file of the virtual machine in the state in which the application program is being run 
determining, by the at least one processor, a security level of the page content based on a first comparison of the first system snapshot file and the second system snapshot file;
determining, by the at least one processor, a security level of the application program based on a second comparison of the first system snapshot file and the third system snapshot file; and
performing, by the at least one processor, malicious URL detection on the target URL based on the security level of the page content and the security level of the application program 

2. (canceled).

3. (canceled).

4. (canceled).

5. (currently amended): 	The method according to claim 1, wherein the determining the security level of the page content comprises:
determining, by the at least one processor, a first modification trace quantity based on the first system snapshot file and the second system snapshot file, the first modification trace quantity being a modification trace quantity of the second system snapshot file relative to the first system snapshot file; and
the at least one processor, the security level of the page content based on the first modification trace quantity.


7. (currently amended):  	The method according to claim 6, wherein the determining the security level of the application program comprises:
determining, by the at least one processor, a second modification trace quantity based on the first system snapshot file and the third system snapshot file, the second modification trace quantity being a modification trace quantity of the third system snapshot file relative to the first system snapshot file; and
determining, by the at least one processor, the security level of the application program based on the second modification trace quantity.



10. (currently amended):  	The method according to claim 1, wherein the determining the security level of the application program comprises:
determining, by the at least one processor, a modification trace quantity of the third system snapshot file relative to the first system snapshot file; and
determining, by the at least one processor, the security level of the application program based on the modification trace quantity.


claim 1, wherein the copying the system file of the virtual machine in the state in which the application program is being run comprises:
capturing, by the at least one processor, in a process of installing the application program, a first installation interface picture of the application program using the virtual machine;
determining, by the at least one processor, a similarity degree between the first installation interface picture and a pre-stored second installation interface picture of the application program captured previously using the virtual machine, the pre-stored second installation interface picture is an installation interface picture captured at a time at which the application program was in a secure state; and
only in response to the similarity degree being greater than a similarity degree threshold, determining that the application program is a secure application program and copying the system file of the virtual machine in the state in which the application program is being run.

13. (currently amended):    	An apparatus comprising:
at least one memory configured to store computer program code; and
at least one processor configured to access the at least one memory and operate according to the computer program code, the computer program code including:
roll back code configured to cause at least one of the at least one processor to roll back a virtual machine to an initiating state in response to detecting a trigger event of the virtual machine;

running code configured to cause at least one of the at least one processor to run, using the virtual machine, an application program linked to the page content;
obtaining code configured to cause at least one of the at least one processor to obtain a first system snapshot file by copying a system file of the virtual machine in the initiating state before the loading of the page content, to obtain a first system snapshot file; obtain a second system snapshot file by copying a system file of the virtual machine in the state in which the loading of the page content is completed, to obtain a second system snapshot file; and obtain a third system snapshot file by copying a system file of the virtual machine in the state in which the application program is being run, to obtain a third system snapshot file 
page security code configured to cause at least one of the at least one processor to determine a security level of the page content based on a first comparison of the first system snapshot file and the second system snapshot file; 
application security code configured to cause at least one of the at least one processor to determine a security level of the application program based on a second comparison of the first system snapshot file and the third system snapshot file; 
detection code configured to cause at least one of the at least one processor to perform malicious URL detection on the target URL based on the security level of the page content and the security level of the application program 

14. (canceled).

15. (canceled).

16. (canceled).

17. (currently amended):  	The apparatus according to claim 13, wherein the page security code is further configured to cause at least one of the at least one processor to:
determine a first modification trace quantity based on the first system snapshot file and the second system snapshot file, the first modification trace quantity being a modification trace quantity of the second system snapshot file relative to the first system snapshot file; and
determine the security level of the page content based on the first modification trace quantity.


22. (currently amended):  	The apparatus according to claim 13, wherein the application security code is further configured to cause at least one of the at least one processor to:

determine the security level of the application program based on the modification trace quantity.


24. (currently amended):  	The apparatus according to claim 13, wherein the obtaining code is configured to cause the at least one of the at least one processor to:
capture, in a process of installing the application program, a first installation interface picture of the application program using the virtual machine;
determine a similarity degree between the first installation interface picture and a pre-stored second installation interface picture of the application program captured previously using the virtual machine, the pre-stored second installation interface picture being an installation interface picture captured at a time at which the application program was in a secure state; and
only in response to the similarity degree being greater than a similarity degree threshold, determine that the application program is a secure application program and copy the system file of the virtual machine in the state in which the application program is being run.


rolling back a virtual machine to an initiating state in response to detecting a trigger event of the virtual machine;
loading, in the initiating state, page content of a target URL using the virtual machine;
running, using the virtual machine, an application program linked to the page content;
obtaining a first system file snapshot file by copying a system file of the virtual machine in the initiating state before loading the page content;
obtaining a second system file snapshot file by copying a system file of the virtual machine in the state in which the loading of the page content is completed; 
obtaining a third system file snapshot file by copying a system file of the virtual machine in the state in which the application program is being run; 
determining a security level of the page content based on a first comparison of the first system snapshot file and the second system snapshot file;
determining a security level of the application program based on a second comparison of the first system snapshot file and the third system snapshot file; and
performing malicious URL detection on the target URL based on the security level of the page content and the security level of the application program 


26. (new): 	The non-transitory computer readable storage medium according to claim 25, wherein the determining the security level of the page content comprises:
determining a first modification trace quantity based on the first system snapshot file and the second system snapshot file, the first modification trace quantity being a modification trace quantity of the second system snapshot file relative to the first system snapshot file; and
determining the security level of the page content based on the first modification trace quantity.

27. (new):  	The non-transitory computer readable storage medium according to claim 26, wherein the determining the security level of the application program comprises:
determining a second modification trace quantity based on the first system snapshot file and the third system snapshot file, the second modification trace quantity being a modification trace quantity of the third system snapshot file relative to the first system snapshot file; and
determining the security level of the application program based on the second modification trace quantity.


in response to both the security level of the page content and the security level of the application program being secure, determining that the target URL is a secure URL;
in response to at least one of the security level of the page content or the security level of the application program being risky, determining that the target URL is risky; and
in response to at least one of the security level of the page content or the security level of the application program is malicious, determining that the target URL is a malicious URL.

29. (new):  	The non-transitory computer readable storage medium according to claim 25, wherein the determining the security level of the application program comprises:
determining a modification trace quantity of the third system snapshot file relative to the first system snapshot file; and
determining the security level of the application program based on the modification trace quantity.

30. (new): 	The non-transitory computer readable storage medium according to claim 29, wherein:

in response to the modification trace quantity being less than the third threshold and greater than or equal to a fourth threshold, determining that the security level of the application program is risky; and
in response to the modification trace quantity being less than the fourth threshold, determining that the security level of the application program is secure.

31. (new): 	The non-transitory computer readable storage medium according to claim 25, wherein the copying the system file of the virtual machine in the state in which the application program is being run comprises:
capturing in a process of installing the application program, a first installation interface picture of the application program using the virtual machine;
determining a similarity degree between the first installation interface picture and a pre-stored second installation interface picture of the application program captured previously using the virtual machine, the pre-stored second installation interface picture is an installation interface picture captured at a time at which the application program was in a secure state; and
only in response to the similarity degree being greater than a similarity degree threshold, determining that the application program is a secure application program and copying the system file of the virtual machine in the state in which the application program is being run.

Examiner’s Statement for Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:

Regarding independent claims 1, 13 and 25,

LU (Pub. No.: US 2018/0152470 A1) teaches loading, in an initiating state, page content in virtual machine sandbox; also teaching running an application program linked to the page content; obtains system snapshot file of the virtual machine and performs analysis to detect malicious URL on the target URL; -e.g. see, [0039], [0056], [0057], [0059] of LU.

Ananthanarayanan et al. (Pub. No.: US 2014/0149492 A1) discloses a roll-back capability of virtual machines which includes the ability to roll-back if something went wrong; -e.g. see, [0027], [0332], [0338] of Ananthanarayanan.

However, the prior art of record does not teach or render obvious:
the limitations in independent claims 1, 13 and 25 specific to the other limitations combination with:

obtaining a first system file snapshot file by copying a system file of the virtual machine in the initiating state before loading the page content;
obtaining a second system file snapshot file by copying a system file of the virtual machine in the state in which the loading of the page content is completed;
obtaining a third system file snapshot file by copying a system file of the virtual machine in the state in which the application program is being run;
determining a security level of the page content based on a first comparison of the first system snapshot file and the second system snapshot file;
determining a security level of the application program based on a second comparison of the first system snapshot file and the third system snapshot file; and
performing malicious URL detection on the target URL based on the security level of the page content and the security level of the application program.

Dependent claims 5-12, 17-24 and 26-31 are allowed as they depend from allowable independent claim 1 or 13 or 25.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2019/0317948 A1-system for live migration and automated recovery of applications based on snapshots ([0235]-[0243]).
US 2009/0249119 A1-teaches restoring a plurality of files to their respective original sates using snapshot (Fig. 4, [0052]).
US 2011/0167195 A1-teaches taking snapshot of memory & device state of virtual machines and uses a timer for continuous incremental checkpoint (Fig. 4, [0021], [0022]).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256.  The examiner can normally be reached on Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495     

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495