DETAILED ACTION 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
Claims 4-7 and 18 have been canceled. Claims 1, 8, 16 and 20 have been amended. Claims 21-23 are newly added. The following claims 1-3, 8-17, and 19-23 have been examined and are pending.
Response to Arguments
Applicant's arguments, see pages 8-10, filed 04/28/2021, regarding the 103 rejections of Claims 1-3, 8-17, and 19-23 have been fully considered and are persuasive. The claims are now in condition for allowance.
Examiner’s Comments
The claims are now in condition for allowance.
Allowable Subject Matter
Claims 1-3, 8-17, and 19-23 are allowed.
This communication warrants No Examiner's Reason for Allowance, applicant's reply make evident the reasons for allowance, satisfying the “record as a whole” provision of the rule 37 CFR 1.104(e). Specifically, the substance of applicant's arguments filed on 04/28/2021 are persuasive, as such the reasons for allowance are in 
None of the prior art of record, including the references cited in the Applicant's Information Disclosure Statement either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
Closest prior art made of record are:
Kawauchi US 20160239661 A1 teaches attack activity definition information database 111 stores, for a plurality of events, attack activity definition information describing an event, a precondition, and an achieved phenomenon. The event is observed by an information system when an attack against the information system is underway. The precondition is a prerequisite condition for the event to be observed. The achieved phenomenon is a phenomenon of the time after the event is observed. An event receiving part 108 receives observed event notice information notifying an observed event which is observed by the information system. An attack activity predicting part 105 acquires an achieved phenomenon from the attack 
Boucher US 20170315979 A1 teaches methods and systems for a document server communicatively coupled to at least one client computing device, a document comprising an operation log, wherein the operation log comprises at least one first sequential operation defining operations to create data values of the document, a document object model, wherein the document is at least partially positioned on at least one of the document server and a first client computing device of the at least one client computing device, and a formula engine, wherein the formula engine is structured to determine a calculation definition in response to the user formula value and the document object model [1053, 1063, 1143, and 1238 1451].
Sung et al US 20130305373 A1 teaches an apparatus for inspecting a non-PE file includes a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file; and a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program. Further, the apparatus includes a 
Ranum et al US 20140013434 A1 teaches a system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network [0048]
Wu CN 106845223 A teaches a method for detecting a malicious code which is applied to a client program operating on a terminal. The method comprises the steps of responding to an operation request received by the client program, and carrying out one or more steps selected from the following groups to determine whether or not there is a malicious code: detecting whether or not a system application file of an operation system starting the 
Guri et al US 20190332766 A1 teaches various automated techniques are described herein for the runtime detection/neutralization of malware executing on a computing device. The foregoing is achievable during a relatively early phase, for example, before the malware manages to encrypt any of the user's files. For instance, a malicious process detector may create decoy file(s) in a directory. The decoy file(s) may have attributes that cause such file(s) to reside at the beginning and/or end of a file list. By doing so, a malicious process targeting files in the directory will attempt to encrypt the decoy file(s) before any other file. The detector monitors operations to the decoy file(s) to determine whether a malicious process is active on the user's computing device. In response to determining that a malicious process is active, the malicious process detector takes protective measure(s) to neutralize the malicious process [0064].
Sheldon et al US 20080209138 A1 teaches embodiments for blocking the opening of a file. Some embodiments include receiving a request to open a file. In response, a portion of the file's data is examined to determine a true 
Tuvell et al.  20160012227 A1 teaches a system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams [paras 0016-0017, 0055-006, 0093, 0097-0098, 0104-0112 and 0122-0123].
Oh et al.  20080127346 A1 teaches a pattern analyzing/detecting method and a system using the same that are capable of detecting and effectively preventing an unknown malicious code attack. To detect such an attack, the method monitors the system to combine all behaviors exhibited within the system due to corresponding malicious codes, reprocess and learn the behaviors, analyze existing malicious behavior feature values (prediction patterns), and compare them with a behavior pattern exhibited by an execution code. [paras 0006-0025, 0034-0036, 0046, and 0052-0053]
Ghosh et al. 7181768 B1 teaches an intrusion detection system (IDS) that uses application monitors for detecting application-based attacks against computer systems. The IDS implements application monitors in the form of a 
Kidron 7934103 B2 teaches a system and method for detecting and countering malicious code in an enterprise network are provided. A pattern recognition processor monitors local operations on a plurality of local machines connected through an enterprise network, to detect irregular local behavior patterns. An alert may be generated after an irregularity in behavior pattern on a local machine is detected. Irregular behavior alerts from a plurality of local machines are analyzed. If similar alerts are received from at least a threshold number of local machines over a corresponding period of time, one or more countermeasure operations are selected based on the analysis of the irregular behavior alerts. The selected countermeasure operations are communicated to the local machines and performed by the local machines [col 4, lines 58-67 and col 5, lines 5-17 and 49-67, and col 6, lines 1-47].
Sung et al.  7941855 B2 teaches a computer-implemented intrusion detection system and method for detecting computer network intrusions in real time are provided. A feature ranking algorithm is used to extract features of interest from a network and network activity. A kernel-based algorithm is used to analyze such features to determine if they are normal or malicious. If malicious, the activity is caused to be blocked [col 2, lines 33-39 and col 3, lines 1-45]. 
Conclusion	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  

/SWT/Examiner, Art Unit 2497                                                                                                                                                                                                        




/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497