DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application No. 16/606,740 filed on 10/19/2019.
Claims 1-15 have been examined and are pending in this application.
Priority
Acknowledgment is made of Applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d) to parent Application No. PCT/US2018/016118, filed on 01/31/2018.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 10/19/2019, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Interpretations
The following is a quotation of 35 U.S.C. 112(f):

(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

 	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

 	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.   Such claim limitation(s) are: “a protection module to modify” in claim 1. 
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 9 and 11-13 are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2)  as being anticipated by over Ismael et al. (US 9,225,740; Hereinafter “Ismael”).
Regarding claim 9, Ismael teaches a non-transitory computer-readable medium storing executable instructions that (Ismael: Col. 20 line 60 - Col. 21, line 4), when executed, control a device to: 
modify, from a first environment of the device, data associated with a security process executing on a second environment of the device to cause a behavior change in the security process (Ismael: Fig. 1, Fig. 3, Col. 2 lines 3-67, Col. 3 lines 4-6, Col. 3, Lines 29-42, Col. 7, Lines 10-57); 
verify proper operation of the security process based on the behavior change (Ismael: Fig. 3, Col. 2, Lines 3-12, Col. 4, Lines 53-65, Col. 5, Lines 10-58, Col. 6, Lines 23-43); and 
perform a remedial action when the security process fails to exhibit the behavior change (Ismael: Claim 1, Col. 12, Lines 11-20, Col. 13, Lines 44-50, Col. 16, Lines 49-57).
Regarding claim 11, Ismael teaches the non-transitory computer-readable medium of claim 9, where the data associated with the security module are modified by: (Ismael: Col. 7 line 10 - Col. 8, line 32; Col. 18, lines 29-34).
Regarding claim 12, Ismael teaches the non-transitory computer-readable medium of claim 11, where the executable instructions are modified by altering a Boolean in memory to trigger whether a function of the security process executes, overwriting null operation instructions in the executable instructions associated with the security process with instructions that call specific functions, where the null operation instructions were inserted in the security process at compile time by a specially configured compiler, overwriting a function call in the executable instructions to trigger an alternative function call, and altering a function pointer in memory (Ismael: Col. 7 line 10 - Col. 8, line 32; Col. 18, lines 29-34).
Regarding claim 13, Ismael teaches the non-transitory computer-readable medium of claim 9, where verifying proper operation of the security module by one of: verifying a value received from the security process, where the value is generated based on the changed behavior, verifying that security reports provided by the security process include data collected as a result of the changed behavior, and verifying a state of in memory value modified by the security process during the operation of the security process, where the state depends on the changed behavior (Ismael: Col. 5 lines 10-58, Col. 6, Lines 23-43).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction 
Claim(s) 1-8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Ismael et al. (US 9,225,740; Hereinafter “Ismael”) in view of Poornachandrean et al. (US 2012/0167218; Hereinafter “Poornachandrean”).
Regarding claim 1, Ismael teaches a system (Ismael: abstract, Fig. 1), comprising: a process operating in a general operating environment of the system (Ismael: Fig. 1, col. 2 lines 3-12, [application (108) = process]); and 
a protection module to modify the behavior of the process by modifying data associated with the process while the process is in operation (Ismael: Fig. 1, 3, col. 2, lines 3-67; col. 3, lines 4-6; col. 7, lines 10-57; [central intelligence engine (103) apply stimuli to application (108)]), 
to verify whether the behavior of the process has changed in accordance with the modification (Ismael: Fig. 3, col. 2, lines 3-12; col. 4, lines 53-65, col. 5, lines 10-58; col. 6, lines 23-43 [monitoring and observation of behavior the application (108)]), and 
to take a remedial action upon determining the process has been compromised (Ismael: - [reporting about malicious application (108) meets the remedial action limitation], claim 1, col. 12, lines 11-20, col. 13, lines 44-50, col. 16, lines 49-57).
Ismael does not explicitly teach a process operating in a general operating environment of the system; and an isolated environment comprising the protection module.
In an analogous art, Poornachandrean teaches a process operating in a general operating environment of the system; and an isolated environment comprising a protection module (Poornachandrean: Fig. 1, Para. [0014]-[0017], Para. [0016], In one embodiment, a behavior analysis module 140 running in security engine 130 is used by host application 112 to provide signature-independent system behavior-based malware detection. Host application 112 requests services of security engine 130, including signature-independent system behavior-based malware detection, via security engine interface (SEI) 114. Behavior analysis module 140 may be implemented as firmware executed by security engine 130. Para. [0028], For example, a snapshot of the system may be sent to a remote server for analysis. The remote server may perform validation of the snapshot and/or analyze the snapshot for virus signatures.  Para. [0030], Communication/logging agent 244 logs snapshots of the state of the system periodically and may transmit this information to a remote server such as enterprise server 170 of FIG. 1 for verification and/or analysis purposes. Para. [0047])
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Poornachandrean with the system and method of Ismael to include a process operating in a general operating environment of the system; and an isolated environment comprising the protection module because this functionality provides isolated environments for characterizing whether unexpected activity is legitimate and classify the source of the unexpected activity as malware if the unexpected activity is indeed not legitimate (Poornachandrean: Para. [0008]).
Regarding claim 2, Ismael, in combination with Poornachandrean, teaches the system of claim 1, where the isolated environment is one of a TrustZone system on chip, a hypervisor, a system management mode module, and an embedded controller (Poornachandrean: Fig. 1, Para. [0017], Communication between security engine 130 and enterprise server 170 occurs via out-of-band communication channel 152. In one embodiment, out-of-band communication channel 152 is a secure communication channel between security engine 130 on the host system and enterprise server 170. Out-of-band communication channel 152 enables security engine 130 to communicate with external servers independently of the host operating system 105 of platform 100. Para. [0014], Para. [0015]).
Regarding claim 3, Ismael, in combination with Poornachandrean, teaches the system of claim 1, where the process is at least one of an antivirus process, a firewall process, an authentication process, a cryptography process, an intrusion prevention process, a digital rights management process, and an intrusion detection process (Ismael: Col. 2, Lines 3-67).
Regarding claim 4, Ismael, in combination with Poornachandrean, teaches the system of claim 1, where the remedial action is one of, alerting an entity that the process has been compromised, disabling a function of the system, restoring the process to a known valid state, and turning off the system (Ismael: Col. 12, Lines 11-20, Col. 13, Lines 44-50, Col. 16, Lines 49-57).
Regarding claim 5, Ismael, in combination with Poornachandrean, teaches the system of claim 1, where the protection module modifies the behavior of the process by at least one of: altering executable instructions of the process, altering a Boolean in memory to trigger whether a function of the process executes, overwriting null operation instructions in the executable instructions associated with the process with instructions that call specific functions, where the null operation instructions were inserted in the process at compile time by a specially configured compiler, overwriting a function call in the executable instructions of the process to trigger an alternative function call, and altering a function pointer in memory (Ismael: Col. 7 line 10 - Col. 8, line 32; Col. 18, lines 29-34).
Regarding claim 6, Ismael, in combination with Poornachandrean, teaches the system of claim 1, where the protection module verifies the behavior of the process based on one of: verifying a value received from the process, where the value is generated based on the behavior modified by the protection module, verifying that security reports provided by the process to the protection module include data collected as a result of the behavior modification, and verifying a state of in memory value modified by the process during the operation of the process, where the state depends on the modified behavior (Ismael: Col. 5, Lines 37-54, Col. 5, lines 10-58, col. 6, lines 23-43).
Regarding claim 7, Ismael, in combination with Poornachandrean, teaches the system of claim 1, where the protection module is to receive instructions for modifying the behavior of the process from a remote device (Poornachandrean: Para. [0017], Para. [0028], Para. [0030], Para. [0047]).
Regarding claim 8, Ismael, in combination with Poornachandrean, teaches the system of claim 7, where the protection module reports a result of the verification to the (Poornachandrean: Para. [0017], Para. [0028], Para. [0030], Para. [0047]).
Regarding claim 10, Ismael teaches the non-transitory computer-readable medium of claim 9. Ismael does not explicitly teach where the first environment is an isolated environment, where the isolated environment is one of a Trustzone system on chip, a hypervisor, a system management mode module, and an embedded controller, and where the second environment is a primary processing environment of the device.  
In an analogous art, Poornachandrean teaches a system and method wherein the first environment is an isolated environment, where the isolated environment is one of a Trustzone system on chip, a hypervisor, a system management mode module, and an embedded controller, and where the second environment is a primary processing environment of the device (Poornachandrean: Fig. 1, Para. [0014]-[0015]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Poornachandrean with the system and method of Ismael to include wherein the first environment is an isolated environment, where the isolated environment is one of a Trustzone system on chip, a hypervisor, a system management mode module, and an embedded controller, and where the second environment is a primary processing environment of the device because this functionality provides isolated environments for characterizing whether unexpected activity is legitimate and classify the source of the unexpected activity as malware if the unexpected activity is indeed not legitimate (Poornachandrean: Para. [0008]).

Claim(s) 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Ismael et al. (US 9,225,740; Hereinafter “Ismael”) in view of Poornachandrean et al. (US 2012/0167218; Hereinafter “Poornachandrean”) and further in view of Chung et al. (US 6,044,475; Hereinafter “Chung”).
Regarding claim 14, Ismael teaches a method (Ismael: Abstract, Col. 2, Lines 3-67), comprising: 
(Ismael: Fig. 1, Fig. 3, Col. 2, Lines 3-67, Col. 3, Lines 4-6, Col. 3, Lines 29-42, Col. 7, Lines 10-57); 
verify whether the security process exhibits the behavior alteration (Ismael: Fig. 3, Col. 2, Lines 3-12, Col. 4, Lines 53-65, Col. 5, Lines 10-58, Col. 6, Lines 23-43, Col. 16, Lines 49-57); and 
Ismael does not explicitly teach alter, from a protected environment of a device.
In an analogous art, Poornachandrean teaches alter, from a protected environment of a device, executable instructions associated with a security process in execution by a general operating environment of the device (Poornachandrean: Fig. 1, Para. [0014]-[0017], Para. [0028], Para. [0030], Para. [0047]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Poornachandrean with the system and method of Ismael to include alter, from a protected environment of a device because this functionality provides isolated environments for characterizing whether unexpected activity is legitimate and classify the source of the unexpected activity as malware if the unexpected activity is indeed not legitimate (Poornachandrean: Para. [0008]).
Ismael, in combination with Poornachandrean, does not explicitly teach restore the security process to a known valid state when the security process fails to exhibit the behavior alteration.
In an analogous art, teaches restore the security process to a known valid state when the security process fails to exhibit the behavior alteration (Chung: Abstract, Claim 1, restoring the process state to said checkpointed state at a second execution point, said restored process state retaining a pre-restoration value of at least one variable; resuming execution of the user application process using the restored process state; Col. 5, Lines 8-65).
(Chung: Col. 2, Lines 43-58).
Regarding claim 15, Ismael, in combination with Poornachandrean and Chung, teaches the method of claim 14, comprising: receiving directions from a remote device regarding how to modify the behavior of the security process; reporting results of the verification to the remote device; and receiving a signal directing the restoration of the security process from the remote device (Poornachandrean: Para. [0017], Para. [0028], Para. [0030], Para. [0047]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Patent Application Publication No. US 2016/0371496 by Sell.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached at (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business 

/NELSON S. GIDDINS/            Primary Examiner, Art Unit 2437